diff options
author | cyberta <cyberta@riseup.net> | 2021-12-20 22:12:06 +0000 |
---|---|---|
committer | cyberta <cyberta@riseup.net> | 2021-12-20 22:12:06 +0000 |
commit | f6cc3e6ad236c3923b398b2ceae9bf2b472dc43a (patch) | |
tree | 452e8750878c43aea287644c1750f1642c707f91 /app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java | |
parent | f459db047966a21d80b4e039429419c5091c1eeb (diff) | |
parent | d5e64c8c71f188df4e25715231179c979e8ab7a9 (diff) |
Merge branch 'certificate_transition' into 'master'
Certificate transition
See merge request leap/bitmask_android!155
Diffstat (limited to 'app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java')
-rw-r--r-- | app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java | 50 |
1 files changed, 31 insertions, 19 deletions
diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java index 808d9e75..63cf03cf 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java @@ -849,18 +849,24 @@ public abstract class ProviderApiManagerBase { protected boolean validCertificate(Provider provider, String certString) { boolean result = false; if (!ConfigHelper.checkErroneousDownload(certString)) { - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(certString); + ArrayList<X509Certificate> certificates = ConfigHelper.parseX509CertificatesFromString(certString); try { - if (certificate != null) { - JSONObject providerJson = provider.getDefinition(); - String fingerprint = providerJson.getString(Provider.CA_CERT_FINGERPRINT); - String encoding = fingerprint.split(":")[0]; - String expectedFingerprint = fingerprint.split(":")[1]; - String realFingerprint = getFingerprintFromCertificate(certificate, encoding); - - result = realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim()); - } else + if (certificates != null) { + if (certificates.size() == 1) { + JSONObject providerJson = provider.getDefinition(); + String fingerprint = providerJson.getString(Provider.CA_CERT_FINGERPRINT); + String encoding = fingerprint.split(":")[0]; + String expectedFingerprint = fingerprint.split(":")[1]; + String realFingerprint = getFingerprintFromCertificate(certificates.get(0), encoding); + result = realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim()); + } else { + // otherwise we assume the provider is transitioning the CA certs and thus shipping multiple CA certs + // in that case we don't do cert pinning + result = true; + } + } else { result = false; + } } catch (JSONException | NoSuchAlgorithmException | CertificateEncodingException e) { result = false; } @@ -910,18 +916,24 @@ public abstract class ProviderApiManagerBase { return result; } - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(caCert); - if (certificate == null) { + ArrayList<X509Certificate> certificates = ConfigHelper.parseX509CertificatesFromString(caCert); + if (certificates == null) { return setErrorResult(result, warning_corrupted_provider_cert, ERROR_INVALID_CERTIFICATE.toString()); } try { - certificate.checkValidity(); String encoding = provider.getCertificatePinEncoding(); String expectedFingerprint = provider.getCertificatePin(); - String realFingerprint = getFingerprintFromCertificate(certificate, encoding); - if (!realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim())) { - return setErrorResult(result, warning_corrupted_provider_cert, ERROR_CERTIFICATE_PINNING.toString()); + // Do certificate pinning only if we have 1 cert, otherwise we assume some transitioning of + // X509 certs, therefore we cannot do cert pinning + if (certificates.size() == 1) { + String realFingerprint = getFingerprintFromCertificate(certificates.get(0), encoding); + if (!realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim())) { + return setErrorResult(result, warning_corrupted_provider_cert, ERROR_CERTIFICATE_PINNING.toString()); + } + } + for (X509Certificate certificate : certificates) { + certificate.checkValidity(); } if (!canConnect(provider, result)) { @@ -1073,9 +1085,9 @@ public abstract class ProviderApiManagerBase { keyString = Base64.encodeToString(key.getEncoded(), Base64.DEFAULT); provider.setPrivateKey( "-----BEGIN RSA PRIVATE KEY-----\n" + keyString + "-----END RSA PRIVATE KEY-----"); - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(certificateString); - certificate.checkValidity(); - certificateString = Base64.encodeToString(certificate.getEncoded(), Base64.DEFAULT); + ArrayList<X509Certificate> certificates = ConfigHelper.parseX509CertificatesFromString(certificateString); + certificates.get(0).checkValidity(); + certificateString = Base64.encodeToString(certificates.get(0).getEncoded(), Base64.DEFAULT); provider.setVpnCertificate( "-----BEGIN CERTIFICATE-----\n" + certificateString + "-----END CERTIFICATE-----"); result.putBoolean(BROADCAST_RESULT_KEY, true); } catch (CertificateException | NullPointerException e) { |