After downloading provider.json successfully, ConfigurationWizard now

can download eip-service.json and ca.crt without having the latter as a
predefined trusted certificate. It does not ask anything about trusting
the new certificate as far as selecting a custom provider means that the
user trusts that url.

Next step: make provider.json also downloadable from https address using
ca.cert not trusted.

4 files changed, 90 insertions, 14 deletions

diff --git a/src/se/leap/leapclient/ConfigHelper.java b/src/se/leap/leapclient/ConfigHelper.java
index f5800a0e..b6526691 100644
--- a/src/se/leap/leapclient/ConfigHelper.java
+++ b/src/se/leap/leapclient/ConfigHelper.java
@@ -8,6 +8,12 @@ import java.io.FileNotFoundException;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 
 import org.json.JSONException;
 import org.json.JSONObject;
@@ -19,6 +25,7 @@ import android.util.Log;
 public class ConfigHelper {
     
     public static SharedPreferences shared_preferences;
+    private static KeyStore keystore_trusted;
 
 	final static String downloadJsonFilesBundleExtra = "downloadJSONFiles";
 	final static String downloadNewProviderDotJSON = "downloadNewProviderDotJSON";
@@ -90,4 +97,67 @@ public class ConfigHelper {
 			SharedPreferences shared_preferences) {
 		ConfigHelper.shared_preferences = shared_preferences;
 	}
+
+	public static void addTrustedCertificate(String provider, InputStream inputStream) {
+		CertificateFactory cf;
+		try {
+			cf = CertificateFactory.getInstance("X.509");
+			X509Certificate cert =
+					(X509Certificate)cf.generateCertificate(inputStream);
+			keystore_trusted.setCertificateEntry("provider", cert);
+		} catch (CertificateException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (KeyStoreException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+
+	public static void addTrustedCertificate(String provider, String certificate) {
+		String filename_to_save = provider + "_certificate.cer";
+		saveFile(filename_to_save, certificate);
+		CertificateFactory cf;
+		try {
+			cf = CertificateFactory.getInstance("X.509");
+			X509Certificate cert =
+					(X509Certificate)cf.generateCertificate(openFileInputStream(filename_to_save));
+			keystore_trusted.setCertificateEntry("provider", cert);
+		} catch (CertificateException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (KeyStoreException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
+	
+	public static KeyStore getKeystore() {
+		return keystore_trusted;
+	}
+
+	public static void getNewKeystore(InputStream leap_keystore) {
+		try {
+			keystore_trusted = KeyStore.getInstance("BKS");
+			try {
+				// Initialize the keystore with the provided trusted certificates
+				// Also provide the password of the keystore
+				keystore_trusted.load(leap_keystore, "uer92jf".toCharArray());
+			} finally {
+				leap_keystore.close();
+			}
+		} catch (KeyStoreException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (NoSuchAlgorithmException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (CertificateException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		} catch (IOException e) {
+			// TODO Auto-generated catch block
+			e.printStackTrace();
+		}
+	}
 }
diff --git a/src/se/leap/leapclient/ConfigurationWizard.java b/src/se/leap/leapclient/ConfigurationWizard.java
index dcefb271..69e13f19 100644
--- a/src/se/leap/leapclient/ConfigurationWizard.java
+++ b/src/se/leap/leapclient/ConfigurationWizard.java
@@ -1,6 +1,7 @@
 package se.leap.leapclient;

 

 import java.io.IOException;

+import java.io.InputStream;

 import java.io.InputStreamReader;

 import java.util.Iterator;

 import java.util.Scanner;

@@ -63,6 +64,11 @@ public class ConfigurationWizard extends Activity
         

         loadPreseededProviders();

         

+        if(ConfigHelper.getKeystore() == null) {

+        	InputStream keystore_input_stream = getResources().openRawResource(R.raw.leapkeystore);

+        	ConfigHelper.getNewKeystore(keystore_input_stream);

+        }

+        

         // Only create our fragments if we're not restoring a saved instance

         if ( savedInstanceState == null ){

         	// TODO Some welcome screen?

diff --git a/src/se/leap/leapclient/LeapHttpClient.java b/src/se/leap/leapclient/LeapHttpClient.java
index 9e1a541b..9ee0a95e 100644
--- a/src/se/leap/leapclient/LeapHttpClient.java
+++ b/src/se/leap/leapclient/LeapHttpClient.java
@@ -33,23 +33,16 @@ public class LeapHttpClient extends DefaultHttpClient {
 	  private SSLSocketFactory newSslSocketFactory() {
 	      try {
 	          // Get an instance of the Bouncy Castle KeyStore format
-	          KeyStore trusted = KeyStore.getInstance("BKS");
-	          // Get the raw resource, which contains the keystore with
-	          // your trusted certificates (root and any intermediate certs)
-	          InputStream in = context.getResources().openRawResource(R.raw.leapkeystore);
-	          try {
-	              // Initialize the keystore with the provided trusted certificates
-	              // Also provide the password of the keystore
-	              trusted.load(in, "uer92jf".toCharArray());
-	          } finally {
-	              in.close();
-	          }
+	          KeyStore trusted = ConfigHelper.getKeystore();
+	          
 	          // Pass the keystore to the SSLSocketFactory. The factory is responsible
 	          // for the verification of the server certificate.
 	          SSLSocketFactory sf = new SSLSocketFactory(trusted);
+	          
 	          // Hostname verification from certificate
 	          // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
 	          sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+	          
 	          return sf;
 	      } catch (Exception e) {
 	          throw new AssertionError(e);
diff --git a/src/se/leap/leapclient/ProviderAPI.java b/src/se/leap/leapclient/ProviderAPI.java
index 1dc7c9f6..01cbd01c 100644
--- a/src/se/leap/leapclient/ProviderAPI.java
+++ b/src/se/leap/leapclient/ProviderAPI.java
@@ -1,6 +1,9 @@
 package se.leap.leapclient;
 
 import java.io.IOException;
+import java.net.URL;
+import java.security.Provider;
+import java.security.Security;
 import java.util.Scanner;
 
 import org.apache.http.HttpEntity;
@@ -38,14 +41,18 @@ public class ProviderAPI extends IntentService {
 			try {
 				JSONObject provider_json = new JSONObject("{ \"provider\" : \"" + provider_name + "\"}");
 				ConfigHelper.saveSharedPref(ConfigHelper.provider_key, provider_json);
-				String cert_string = getStringFromProvider(cert_url);
+				
+				/*String cert_string = getStringFromProvider(cert_url);
 				JSONObject cert_json = new JSONObject("{ \"certificate\" : \"" + cert_string + "\"}");
 				ConfigHelper.saveSharedPref(ConfigHelper.cert_key, cert_json);
+				ConfigHelper.addTrustedCertificate(provider_name, cert_string);*/
+				URL cacert = new URL(cert_url);
+				ConfigHelper.addTrustedCertificate(provider_name, cacert.openStream());
 				JSONObject eip_service_json = getJSONFromProvider(eip_service_json_url);
 				ConfigHelper.saveSharedPref(ConfigHelper.eip_service_key, eip_service_json);
 				receiver.send(ConfigHelper.CORRECTLY_DOWNLOADED_JSON_FILES, Bundle.EMPTY);
 			} catch (IOException e) {
-				// TODO Auto-generated catch block
+				// TODO It could happen that an https site used a certificate not trusted.
 				e.printStackTrace();
 				receiver.send(ConfigHelper.INCORRECTLY_DOWNLOADED_JSON_FILES, Bundle.EMPTY);
 			} catch (JSONException e) {
@@ -69,7 +76,7 @@ public class ProviderAPI extends IntentService {
         		ProviderListContent.addItem(new ProviderItem(provider_name, ConfigHelper.openFileInputStream(filename), custom));
         		receiver.send(ConfigHelper.CUSTOM_PROVIDER_ADDED, Bundle.EMPTY);
 			} catch (IOException e) {
-				// TODO Auto-generated catch block
+				// TODO It could happen that an https site used a certificate not trusted.
 				e.printStackTrace();
 			} catch (JSONException e) {
 				// TODO Auto-generated catch block