summaryrefslogtreecommitdiff
path: root/src/se/leap
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2013-08-14 17:09:36 +0200
committerParménides GV <parmegv@sdf.org>2013-08-14 17:09:36 +0200
commitf08737279b026b9ed6e9970b70965cba633de67a (patch)
tree713b0296b2487d05c549464c7b9369113526603d /src/se/leap
parent398dfb8478ea814b33097081a3a3313ee5f944f9 (diff)
parentb376b820640ed9f097c3d62011c5e9cf2462304b (diff)
Merge branch 'bug/lack-of-input-validation-on-user-certificates' into develop
Diffstat (limited to 'src/se/leap')
-rw-r--r--src/se/leap/leapclient/ConfigHelper.java31
-rw-r--r--src/se/leap/leapclient/ProviderAPI.java62
2 files changed, 71 insertions, 22 deletions
diff --git a/src/se/leap/leapclient/ConfigHelper.java b/src/se/leap/leapclient/ConfigHelper.java
index e139bf62..fd7e527f 100644
--- a/src/se/leap/leapclient/ConfigHelper.java
+++ b/src/se/leap/leapclient/ConfigHelper.java
@@ -23,12 +23,18 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.math.BigInteger;
import java.io.InputStream;
+import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
import org.json.JSONException;
import org.json.JSONObject;
@@ -315,6 +321,31 @@ public class ConfigHelper {
return (X509Certificate) certificate;
}
+
+ protected static RSAPrivateKey parseRsaKeyFromString(String RsaKeyString) {
+ RSAPrivateKey key = null;
+ try {
+ KeyFactory kf = KeyFactory.getInstance("RSA", "BC");
+
+ RsaKeyString = RsaKeyString.replaceFirst("-----BEGIN RSA PRIVATE KEY-----", "").replaceFirst("-----END RSA PRIVATE KEY-----", "");
+ PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec( Base64.decode(RsaKeyString, Base64.DEFAULT) );
+ key = (RSAPrivateKey) kf.generatePrivate(keySpec);
+ } catch (InvalidKeySpecException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return null;
+ } catch (NoSuchAlgorithmException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return null;
+ } catch (NoSuchProviderException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return null;
+ }
+
+ return key;
+ }
/**
* Adds a new X509 certificate given its input stream and its provider name
diff --git a/src/se/leap/leapclient/ProviderAPI.java b/src/se/leap/leapclient/ProviderAPI.java
index dc0b2aa6..935d6a87 100644
--- a/src/se/leap/leapclient/ProviderAPI.java
+++ b/src/se/leap/leapclient/ProviderAPI.java
@@ -16,20 +16,9 @@
*/
package se.leap.leapclient;
-import java.io.ByteArrayInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
-import java.io.InputStream;
import java.math.BigInteger;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.security.SecureRandom;
-import javax.net.ssl.KeyManager;
import java.net.CookieHandler;
import java.net.CookieManager;
import java.net.HttpCookie;
@@ -39,14 +28,23 @@ import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.net.UnknownHostException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
import java.util.Scanner;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.http.HttpEntity;
@@ -66,7 +64,6 @@ import org.json.JSONException;
import org.json.JSONObject;
import se.leap.leapclient.ProviderListContent.ProviderItem;
-
import android.app.IntentService;
import android.content.Intent;
import android.os.Bundle;
@@ -180,12 +177,19 @@ public class ProviderAPI extends IntentService {
boolean danger_on = task.getBoolean(ConfigHelper.DANGER_ON);
try {
String cert_string = getStringFromProvider(cert_url, danger_on);
- ConfigHelper.saveSharedPref(ConfigHelper.MAIN_CERT_KEY, cert_string);
+ X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(cert_string);
+ cert_string = Base64.encodeToString( certCert.getEncoded(), Base64.DEFAULT);
+ ConfigHelper.saveSharedPref(ConfigHelper.MAIN_CERT_KEY, "-----BEGIN CERTIFICATE-----\n"+cert_string+"-----END CERTIFICATE-----");
+
JSONObject eip_service_json = getJSONFromProvider(eip_service_json_url, danger_on);
ConfigHelper.saveSharedPref(ConfigHelper.EIP_SERVICE_KEY, eip_service_json);
return true;
} catch (JSONException e) {
return false;
+ } catch (CertificateException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return false;
}
}
@@ -726,17 +730,31 @@ public class ProviderAPI extends IntentService {
String cert_string = getStringFromProvider(new_cert_string_url, danger_on);
if(!cert_string.isEmpty()) {
// API returns concatenated cert & key. Split them for OpenVPN options
- String certificate = null, key = null;
+ String certificateString = null, keyString = null;
String[] certAndKey = cert_string.split("(?<=-\n)");
for (int i=0; i < certAndKey.length-1; i++){
- if ( certAndKey[i].contains("KEY") )
- key = certAndKey[i++] + certAndKey[i];
- else if ( certAndKey[i].contains("CERTIFICATE") )
- certificate = certAndKey[i++] + certAndKey[i];
+ if ( certAndKey[i].contains("KEY") ) {
+ keyString = certAndKey[i++] + certAndKey[i];
+ }
+ else if ( certAndKey[i].contains("CERTIFICATE") ) {
+ certificateString = certAndKey[i++] + certAndKey[i];
+ }
+ }
+ try {
+ RSAPrivateKey keyCert = ConfigHelper.parseRsaKeyFromString(keyString);
+ keyString = Base64.encodeToString( keyCert.getEncoded(), Base64.DEFAULT );
+ ConfigHelper.saveSharedPref(ConfigHelper.KEY_KEY, "-----BEGIN RSA PRIVATE KEY-----\n"+keyString+"-----END RSA PRIVATE KEY-----");
+
+ X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(certificateString);
+ certificateString = Base64.encodeToString( certCert.getEncoded(), Base64.DEFAULT);
+ ConfigHelper.saveSharedPref(ConfigHelper.CERT_KEY, "-----BEGIN CERTIFICATE-----\n"+certificateString+"-----END CERTIFICATE-----");
+
+ return true;
+ } catch (CertificateException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return false;
}
- ConfigHelper.saveSharedPref(ConfigHelper.CERT_KEY, certificate);
- ConfigHelper.saveSharedPref(ConfigHelper.KEY_KEY, key);
- return true;
} else {
return false;
}