summaryrefslogtreecommitdiff
path: root/app/src/release
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2015-04-21 20:37:19 +0200
committerParménides GV <parmegv@sdf.org>2015-04-22 12:03:09 +0200
commite2b289726f3c1813f9fafecc94bc61a70dbdb899 (patch)
tree5a0515c13c922e91ad193694fd9550b37e37546e /app/src/release
parent467abc3431e2ae148ea72e2c3b4c560473424c3f (diff)
Pinning connection to provider.json
Using AndroidPinning library from Moxie, I make sure the provider.json file Bitmask downloads is fetched from a pinned https connection, so that the api certificate fingerprint is the good one.
Diffstat (limited to 'app/src/release')
-rw-r--r--app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java23
-rw-r--r--app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java43
2 files changed, 51 insertions, 15 deletions
diff --git a/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java b/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java
index 19ba1ba8..68ff9e47 100644
--- a/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java
+++ b/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java
@@ -126,7 +126,7 @@ public class ConfigurationWizard extends Activity
if (fragment_manager.findFragmentByTag(ProviderDetailFragment.TAG) == null && setting_up_provider) {
if (selected_provider != null)
- onItemSelectedUi(selected_provider);
+ onItemSelectedUi();
if (progress > 0)
mProgressBar.setProgress(progress);
}
@@ -229,17 +229,17 @@ public class ConfigurationWizard extends Activity
void onItemSelected(int position) {
//TODO Code 2 pane view
selected_provider = adapter.getItem(position);
- onItemSelectedUi(selected_provider);
- onItemSelectedLogic(selected_provider);
+ onItemSelectedUi();
+ onItemSelectedLogic();
}
- private void onItemSelectedLogic(Provider selected_provider) {
- setUpProvider(selected_provider.mainUrl());
+ private void onItemSelectedLogic() {
+ setUpProvider();
}
- private void onItemSelectedUi(Provider provider) {
+ private void onItemSelectedUi() {
startProgressBar();
- adapter.hideAllBut(adapter.indexOf(provider));
+ adapter.hideAllBut(adapter.indexOf(selected_provider));
}
@Override
@@ -379,8 +379,8 @@ public class ConfigurationWizard extends Activity
private void autoSelectProvider(Provider provider) {
selected_provider = provider;
- onItemSelectedUi(selected_provider);
- onItemSelectedLogic(selected_provider);
+ onItemSelectedUi();
+ onItemSelectedLogic();
}
/**
@@ -389,10 +389,11 @@ public class ConfigurationWizard extends Activity
* @param provider_name
* @param provider_main_url
*/
- public void setUpProvider(URL provider_main_url) {
+ public void setUpProvider() {
Intent provider_API_command = new Intent(this, ProviderAPI.class);
Bundle parameters = new Bundle();
- parameters.putString(Provider.MAIN_URL, provider_main_url.toString());
+ parameters.putString(Provider.MAIN_URL, selected_provider.mainUrl().toString());
+ parameters.putString(Provider.CA_CERT_FINGERPRINT, selected_provider.certificatePin());
provider_API_command.setAction(ProviderAPI.SET_UP_PROVIDER);
provider_API_command.putExtra(ProviderAPI.PARAMETERS, parameters);
diff --git a/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java
index 890262ce..a96556bc 100644
--- a/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java
+++ b/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java
@@ -34,6 +34,7 @@ import javax.net.ssl.*;
import org.apache.http.client.*;
import org.json.*;
+import org.thoughtcrime.ssl.pinning.util.*;
import se.leap.bitmaskclient.ProviderListContent.ProviderItem;
import se.leap.bitmaskclient.eip.*;
@@ -87,6 +88,7 @@ public class ProviderAPI extends IntentService {
private static boolean go_ahead = true;
private static SharedPreferences preferences;
private static String provider_api_url;
+ private static String provider_ca_cert_fingerprint;
private Resources resources;
public static void stop() {
@@ -504,13 +506,19 @@ public class ProviderAPI extends IntentService {
Bundle current_download = new Bundle();
if (task != null && task.containsKey(Provider.MAIN_URL)) {
- last_provider_main_url = task.getString(Provider.MAIN_URL);
+ last_provider_main_url = task.containsKey(Provider.MAIN_URL) ?
+ task.getString(Provider.MAIN_URL) :
+ "";
+ provider_ca_cert_fingerprint = task.containsKey(Provider.CA_CERT_FINGERPRINT) ?
+ task.getString(Provider.CA_CERT_FINGERPRINT) :
+ "";
+
CA_CERT_DOWNLOADED = PROVIDER_JSON_DOWNLOADED = EIP_SERVICE_JSON_DOWNLOADED = false;
go_ahead = true;
}
if (!PROVIDER_JSON_DOWNLOADED)
- current_download = getAndSetProviderJson(last_provider_main_url);
+ current_download = getAndSetProviderJson(last_provider_main_url, provider_ca_cert_fingerprint);
if (PROVIDER_JSON_DOWNLOADED || (current_download.containsKey(RESULT_KEY) && current_download.getBoolean(RESULT_KEY))) {
broadcastProgress(progress++);
PROVIDER_JSON_DOWNLOADED = true;
@@ -602,11 +610,16 @@ public class ProviderAPI extends IntentService {
return hexData.toString();
}
- private Bundle getAndSetProviderJson(String provider_main_url) {
+ private Bundle getAndSetProviderJson(String provider_main_url, String provider_ca_cert_fingerprint) {
Bundle result = new Bundle();
if (go_ahead) {
- String provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json");
+ String provider_dot_json_string;
+
+ if(provider_ca_cert_fingerprint.isEmpty())
+ provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json");
+ else
+ provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json", provider_ca_cert_fingerprint);
try {
JSONObject provider_json = new JSONObject(provider_dot_json_string);
@@ -672,6 +685,28 @@ public class ProviderAPI extends IntentService {
return error_message;
}
+ private String downloadWithCommercialCA(String url_string, String ca_cert_fingerprint) {
+ String result = "";
+
+ int seconds_of_timeout = 2;
+ String[] pins = new String[] {ca_cert_fingerprint};
+ try {
+ URL url = new URL(url_string);
+ HttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(Dashboard.getContext(), pins, url);
+ connection.setConnectTimeout(seconds_of_timeout * 1000);
+ if (!LeapSRPSession.getToken().isEmpty())
+ connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token = " + LeapSRPSession.getToken());
+ result = new Scanner(connection.getInputStream()).useDelimiter("\\A").next();
+ } catch (IOException e) {
+ if(e instanceof SSLHandshakeException)
+ result = formatErrorMessage(R.string.error_security_pinnedcertificate);
+ else
+ result = formatErrorMessage(R.string.error_io_exception_user_message);
+ }
+
+ return result;
+ }
+
/**
* Tries to download the contents of the provided url using commercially validated CA certificate from chosen provider.
*