/* * Copyright (C) 2012-2014 Dominik Schürmann * Copyright (C) 2011-2014 Thialfihar * Copyright (C) 2011 Senecaso * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.sufficientlysecure.keychain.keyimport; import okhttp3.MediaType; import okhttp3.OkHttpClient; import okhttp3.Request; import okhttp3.RequestBody; import okhttp3.Response; import org.sufficientlysecure.keychain.Constants; import org.sufficientlysecure.keychain.pgp.PgpHelper; import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils; import org.sufficientlysecure.keychain.util.Log; import org.sufficientlysecure.keychain.util.OkHttpClientFactory; import org.sufficientlysecure.keychain.util.TlsHelper; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.Proxy; import java.net.URL; import java.net.URLDecoder; import java.net.URLEncoder; import java.util.ArrayList; import java.util.Arrays; import java.util.Comparator; import java.util.GregorianCalendar; import java.util.Locale; import java.util.TimeZone; import java.util.regex.Matcher; import java.util.regex.Pattern; import android.support.annotation.NonNull; import de.measite.minidns.Client; import de.measite.minidns.Question; import de.measite.minidns.Record; import de.measite.minidns.record.SRV; public class HkpKeyserver extends Keyserver { private static class HttpError extends Exception { private static final long serialVersionUID = 1718783705229428893L; private int mCode; private String mData; public HttpError(int code, String data) { super("" + code + ": " + data); mCode = code; mData = data; } public int getCode() { return mCode; } public String getData() { return mData; } } private String mHost; private short mPort; private Proxy mProxy; private boolean mSecure; /** * pub:%keyid%:%algo%:%keylen%:%creationdate%:%expirationdate%:%flags% *

%keyid% = this is either the fingerprint or the key ID of the key. * Either the 16-digit or 8-digit key IDs are acceptable, but obviously the fingerprint is best. *
%algo% = the algorithm number, (i.e. 1==RSA, 17==DSA, etc). * See RFC-2440
%keylen% = the key length (i.e. 1024, 2048, 4096, etc.)
%creationdate% = creation date of the key in standard * RFC-2440 form (i.e. number of * seconds since 1/1/1970 UTC time)
%expirationdate% = expiration date of the key in standard * RFC-2440 form (i.e. number of * seconds since 1/1/1970 UTC time)
%flags% = letter codes to indicate details of the key, if any. Flags may be in any * order. The meaning of "disabled" is implementation-specific. Note that individual flags may * be unimplemented, so the absence of a given flag does not necessarily mean the absence of the * detail. *
- r == revoked
- d == disabled
- e == expired
*

* * @see * 5.2. Machine Readable Indexes * in Internet-Draft OpenPGP HTTP Keyserver Protocol Document */ public static final Pattern PUB_KEY_LINE = Pattern .compile("pub:([0-9a-fA-F]+):([0-9]+):([0-9]+):([0-9]+):([0-9]*):([rde]*)[ \n\r]*" // pub line + "((uid:([^:]*):([0-9]+):([0-9]*):([rde]*)[ \n\r]*)+)", // one or more uid lines Pattern.CASE_INSENSITIVE ); /** * uid:%escaped uid string%:%creationdate%:%expirationdate%:%flags% *

%escaped uid string% = the user ID string, with HTTP %-escaping for anything that * isn't 7-bit safe as well as for the ":" character. Any other characters may be escaped, as * desired.
%creationdate% = creation date of the key in standard * RFC-2440 form (i.e. number of * seconds since 1/1/1970 UTC time)
%expirationdate% = expiration date of the key in standard * RFC-2440 form (i.e. number of * seconds since 1/1/1970 UTC time)
%flags% = letter codes to indicate details of the key, if any. Flags may be in any * order. The meaning of "disabled" is implementation-specific. Note that individual flags may * be unimplemented, so the absence of a given flag does not necessarily mean the absence of * the detail. *
- r == revoked
- d == disabled
- e == expired
*

*/ public static final Pattern UID_LINE = Pattern .compile("uid:([^:]*):([0-9]+):([0-9]*):([rde]*)", Pattern.CASE_INSENSITIVE); private static final short PORT_DEFAULT = 11371; private static final short PORT_DEFAULT_HKPS = 443; /** * @param hostAndPort may be just * "hostname" (eg. "pool.sks-keyservers.net"), then it will * connect using {@link #PORT_DEFAULT}. However, port may be specified after colon * ("hostname:port", eg. "p80.pool.sks-keyservers.net:80"). */ public HkpKeyserver(String hostAndPort, Proxy proxy) { String host = hostAndPort; short port = PORT_DEFAULT; boolean secure = false; String[] parts = hostAndPort.split(":"); if (parts.length > 1) { if (!parts[0].contains(".")) { // This is not a domain or ip, so it must be a protocol name if ("hkps".equalsIgnoreCase(parts[0]) || "https".equalsIgnoreCase(parts[0])) { secure = true; port = PORT_DEFAULT_HKPS; } else if (!"hkp".equalsIgnoreCase(parts[0]) && !"http".equalsIgnoreCase(parts[0])) { throw new IllegalArgumentException("Protocol " + parts[0] + " is unknown"); } host = parts[1]; if (host.startsWith("//")) { // People tend to type https:// and hkps://, so we'll support that as well host = host.substring(2); } if (parts.length > 2) { port = Short.decode(parts[2]); } } else { host = parts[0]; port = Short.decode(parts[1]); } } mHost = host; mPort = port; mProxy = proxy; mSecure = secure; } public HkpKeyserver(String host, short port, Proxy proxy) { this(host, port, proxy, false); } public HkpKeyserver(String host, short port, Proxy proxy, boolean secure) { mHost = host; mPort = port; mProxy = proxy; mSecure = secure; } private String getUrlPrefix() { return mSecure ? "https://" : "http://"; } private String query(String request, @NonNull Proxy proxy) throws QueryFailedException, HttpError { try { URL url = new URL(getUrlPrefix() + mHost + ":" + mPort + request); Log.d(Constants.TAG, "hkp keyserver query: " + url + " Proxy: " + proxy); OkHttpClient client = OkHttpClientFactory.getClientPinnedIfAvailable(url, proxy); Response response = client.newCall(new Request.Builder().url(url).build()).execute(); String responseBody = response.body().string(); // contains body both in case of success or failure if (response.isSuccessful()) { return responseBody; } else { throw new HttpError(response.code(), responseBody); } } catch (IOException e) { Log.e(Constants.TAG, "IOException at HkpKeyserver", e); throw new QueryFailedException("Keyserver '" + mHost + "' is unavailable. Check your Internet connection!" + (proxy == Proxy.NO_PROXY ? "" : " Using proxy " + proxy)); } catch (TlsHelper.TlsHelperException e) { Log.e(Constants.TAG, "Exception in pinning certs", e); throw new QueryFailedException("Exception in pinning certs"); } } /** * Results are sorted by creation date of key! */ @Override public ArrayList search(String query) throws QueryFailedException, QueryNeedsRepairException { ArrayList results = new ArrayList<>(); if (query.length() < 3) { throw new QueryTooShortException(); } String encodedQuery; try { encodedQuery = URLEncoder.encode(query, "UTF8"); } catch (UnsupportedEncodingException e) { return null; } String request = "/pks/lookup?op=index&options=mr&search=" + encodedQuery; String data; try { data = query(request, mProxy); } catch (HttpError e) { if (e.getData() != null) { Log.d(Constants.TAG, "returned error data: " + e.getData().toLowerCase(Locale.ENGLISH)); if (e.getData().toLowerCase(Locale.ENGLISH).contains("no keys found")) { // NOTE: This is also a 404 error for some keyservers! return results; } else if (e.getData().toLowerCase(Locale.ENGLISH).contains("too many")) { throw new TooManyResponsesException(); } else if (e.getData().toLowerCase(Locale.ENGLISH).contains("insufficient")) { throw new QueryTooShortException(); } else if (e.getCode() == 404) { // NOTE: handle this 404 at last, maybe it was a "no keys found" error throw new QueryFailedException("Keyserver '" + mHost + "' not found. Error 404"); } else { // NOTE: some keyserver do not provide a more detailed error response throw new QueryTooShortOrTooManyResponsesException(); } } throw new QueryFailedException("Querying server(s) for '" + mHost + "' failed."); } final Matcher matcher = PUB_KEY_LINE.matcher(data); while (matcher.find()) { final ImportKeysListEntry entry = new ImportKeysListEntry(); entry.setQuery(query); entry.addOrigin(getUrlPrefix() + mHost + ":" + mPort); // group 1 contains the full fingerprint (v4) or the long key id if available // see https://bitbucket.org/skskeyserver/sks-keyserver/pull-request/12/fixes-for-machine-readable-indexes/diff String fingerprintOrKeyId = matcher.group(1).toLowerCase(Locale.ENGLISH); if (fingerprintOrKeyId.length() == 40) { entry.setFingerprintHex(fingerprintOrKeyId); entry.setKeyIdHex("0x" + fingerprintOrKeyId.substring(fingerprintOrKeyId.length() - 16, fingerprintOrKeyId.length())); } else if (fingerprintOrKeyId.length() == 16) { // set key id only entry.setKeyIdHex("0x" + fingerprintOrKeyId); } else { Log.e(Constants.TAG, "Wrong length for fingerprint/long key id."); // skip this key continue; } try { int bitSize = Integer.parseInt(matcher.group(3)); entry.setBitStrength(bitSize); int algorithmId = Integer.decode(matcher.group(2)); entry.setAlgorithm(KeyFormattingUtils.getAlgorithmInfo(algorithmId, bitSize, null)); final long creationDate = Long.parseLong(matcher.group(4)); final GregorianCalendar tmpGreg = new GregorianCalendar(TimeZone.getTimeZone("UTC")); tmpGreg.setTimeInMillis(creationDate * 1000); entry.setDate(tmpGreg.getTime()); } catch (NumberFormatException e) { Log.e(Constants.TAG, "Conversation for bit size, algorithm, or creation date failed.", e); // skip this key continue; } try { entry.setRevoked(matcher.group(6).contains("r")); entry.setExpired(matcher.group(6).contains("e")); } catch (NullPointerException e) { Log.e(Constants.TAG, "Check for revocation or expiry failed.", e); // skip this key continue; } ArrayList userIds = new ArrayList<>(); final String uidLines = matcher.group(7); final Matcher uidMatcher = UID_LINE.matcher(uidLines); while (uidMatcher.find()) { String tmp = uidMatcher.group(1).trim(); if (tmp.contains("%")) { if (tmp.contains("%%")) { // The server encodes a percent sign as %%, so it is swapped out with its // urlencoded counterpart to prevent errors tmp = tmp.replace("%%", "%25"); } try { // converts Strings like "Universit%C3%A4t" to a proper encoding form "Universität". tmp = URLDecoder.decode(tmp, "UTF8"); } catch (UnsupportedEncodingException ignored) { // will never happen, because "UTF8" is supported } catch (IllegalArgumentException e) { Log.e(Constants.TAG, "User ID encoding broken", e); // skip this user id continue; } } userIds.add(tmp); } entry.setUserIds(userIds); entry.setPrimaryUserId(userIds.get(0)); results.add(entry); } return results; } @Override public String get(String keyIdHex) throws QueryFailedException { String request = "/pks/lookup?op=get&options=mr&search=" + keyIdHex; Log.d(Constants.TAG, "hkp keyserver get: " + request + " using Proxy: " + mProxy); String data; try { data = query(request, mProxy); } catch (HttpError httpError) { Log.d(Constants.TAG, "Failed to get key at HkpKeyserver", httpError); throw new QueryFailedException("not found"); } if (data == null) { throw new QueryFailedException("data is null"); } Matcher matcher = PgpHelper.PGP_PUBLIC_KEY.matcher(data); if (matcher.find()) { return matcher.group(1); } throw new QueryFailedException("data is null"); } @Override public void add(String armoredKey) throws AddKeyException { try { String path = "/pks/add"; String params; try { params = "keytext=" + URLEncoder.encode(armoredKey, "UTF-8"); } catch (UnsupportedEncodingException e) { throw new AddKeyException(); } URL url = new URL(getUrlPrefix() + mHost + ":" + mPort + path); Log.d(Constants.TAG, "hkp keyserver add: " + url); Log.d(Constants.TAG, "params: " + params); RequestBody body = RequestBody.create(MediaType.parse("application/x-www-form-urlencoded"), params); Request request = new Request.Builder() .url(url) .addHeader("Content-Type", "application/x-www-form-urlencoded") .addHeader("Content-Length", Integer.toString(params.getBytes().length)) .post(body) .build(); Response response = OkHttpClientFactory.getClientPinnedIfAvailable(url, mProxy).newCall(request).execute(); Log.d(Constants.TAG, "response code: " + response.code()); Log.d(Constants.TAG, "answer: " + response.body().string()); if (response.code() != 200) { throw new AddKeyException(); } } catch (IOException e) { Log.e(Constants.TAG, "IOException", e); throw new AddKeyException(); } catch (TlsHelper.TlsHelperException e) { Log.e(Constants.TAG, "Exception in pinning certs", e); throw new AddKeyException(); } } @Override public String toString() { return getUrlPrefix() + mHost + ":" + mPort; } /** * Tries to find a server responsible for a given domain * * @return A responsible Keyserver or null if not found. */ public static HkpKeyserver resolve(String domain, Proxy proxy) { try { Record[] records = new Client().query(new Question("_hkp._tcp." + domain, Record.TYPE.SRV)).getAnswers(); if (records.length > 0) { Arrays.sort(records, new Comparator() { @Override public int compare(Record lhs, Record rhs) { if (lhs.getPayload().getType() != Record.TYPE.SRV) return 1; if (rhs.getPayload().getType() != Record.TYPE.SRV) return -1; return ((SRV) lhs.getPayload()).getPriority() - ((SRV) rhs.getPayload()).getPriority(); } }); Record record = records[0]; // This is our best choice if (record.getPayload().getType() == Record.TYPE.SRV) { return new HkpKeyserver(((SRV) record.getPayload()).getName(), (short) ((SRV) record.getPayload()).getPort(), proxy); } } } catch (Exception ignored) { } return null; } }