summaryrefslogtreecommitdiff
path: root/app/src/main/java/se/leap/bitmaskclient/providersetup
diff options
context:
space:
mode:
Diffstat (limited to 'app/src/main/java/se/leap/bitmaskclient/providersetup')
-rw-r--r--app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java50
-rw-r--r--app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java10
2 files changed, 39 insertions, 21 deletions
diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java
index 808d9e75..63cf03cf 100644
--- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java
+++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java
@@ -849,18 +849,24 @@ public abstract class ProviderApiManagerBase {
protected boolean validCertificate(Provider provider, String certString) {
boolean result = false;
if (!ConfigHelper.checkErroneousDownload(certString)) {
- X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(certString);
+ ArrayList<X509Certificate> certificates = ConfigHelper.parseX509CertificatesFromString(certString);
try {
- if (certificate != null) {
- JSONObject providerJson = provider.getDefinition();
- String fingerprint = providerJson.getString(Provider.CA_CERT_FINGERPRINT);
- String encoding = fingerprint.split(":")[0];
- String expectedFingerprint = fingerprint.split(":")[1];
- String realFingerprint = getFingerprintFromCertificate(certificate, encoding);
-
- result = realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim());
- } else
+ if (certificates != null) {
+ if (certificates.size() == 1) {
+ JSONObject providerJson = provider.getDefinition();
+ String fingerprint = providerJson.getString(Provider.CA_CERT_FINGERPRINT);
+ String encoding = fingerprint.split(":")[0];
+ String expectedFingerprint = fingerprint.split(":")[1];
+ String realFingerprint = getFingerprintFromCertificate(certificates.get(0), encoding);
+ result = realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim());
+ } else {
+ // otherwise we assume the provider is transitioning the CA certs and thus shipping multiple CA certs
+ // in that case we don't do cert pinning
+ result = true;
+ }
+ } else {
result = false;
+ }
} catch (JSONException | NoSuchAlgorithmException | CertificateEncodingException e) {
result = false;
}
@@ -910,18 +916,24 @@ public abstract class ProviderApiManagerBase {
return result;
}
- X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(caCert);
- if (certificate == null) {
+ ArrayList<X509Certificate> certificates = ConfigHelper.parseX509CertificatesFromString(caCert);
+ if (certificates == null) {
return setErrorResult(result, warning_corrupted_provider_cert, ERROR_INVALID_CERTIFICATE.toString());
}
try {
- certificate.checkValidity();
String encoding = provider.getCertificatePinEncoding();
String expectedFingerprint = provider.getCertificatePin();
- String realFingerprint = getFingerprintFromCertificate(certificate, encoding);
- if (!realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim())) {
- return setErrorResult(result, warning_corrupted_provider_cert, ERROR_CERTIFICATE_PINNING.toString());
+ // Do certificate pinning only if we have 1 cert, otherwise we assume some transitioning of
+ // X509 certs, therefore we cannot do cert pinning
+ if (certificates.size() == 1) {
+ String realFingerprint = getFingerprintFromCertificate(certificates.get(0), encoding);
+ if (!realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim())) {
+ return setErrorResult(result, warning_corrupted_provider_cert, ERROR_CERTIFICATE_PINNING.toString());
+ }
+ }
+ for (X509Certificate certificate : certificates) {
+ certificate.checkValidity();
}
if (!canConnect(provider, result)) {
@@ -1073,9 +1085,9 @@ public abstract class ProviderApiManagerBase {
keyString = Base64.encodeToString(key.getEncoded(), Base64.DEFAULT);
provider.setPrivateKey( "-----BEGIN RSA PRIVATE KEY-----\n" + keyString + "-----END RSA PRIVATE KEY-----");
- X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(certificateString);
- certificate.checkValidity();
- certificateString = Base64.encodeToString(certificate.getEncoded(), Base64.DEFAULT);
+ ArrayList<X509Certificate> certificates = ConfigHelper.parseX509CertificatesFromString(certificateString);
+ certificates.get(0).checkValidity();
+ certificateString = Base64.encodeToString(certificates.get(0).getEncoded(), Base64.DEFAULT);
provider.setVpnCertificate( "-----BEGIN CERTIFICATE-----\n" + certificateString + "-----END CERTIFICATE-----");
result.putBoolean(BROADCAST_RESULT_KEY, true);
} catch (CertificateException | NullPointerException e) {
diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java
index 5357fd74..cc68b5a8 100644
--- a/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java
+++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java
@@ -12,6 +12,8 @@ import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.SSLContext;
@@ -55,8 +57,12 @@ public class TLSCompatSocketFactory extends SSLSocketFactory {
KeyStore keyStore = KeyStore.getInstance(defaultType);
keyStore.load(null, null);
if (!TextUtils.isEmpty(trustedSelfSignedCaCert)) {
- java.security.cert.Certificate provider_certificate = ConfigHelper.parseX509CertificateFromString(trustedSelfSignedCaCert);
- keyStore.setCertificateEntry("provider_ca_certificate", provider_certificate);
+ ArrayList<X509Certificate> x509Certificates = ConfigHelper.parseX509CertificatesFromString(trustedSelfSignedCaCert);
+ if (x509Certificates != null) {
+ for (int i = 0; i < x509Certificates.size(); i++) {
+ keyStore.setCertificateEntry("provider_ca_certificate"+i, x509Certificates.get(i));
+ }
+ }
}
// Create a TrustManager that trusts the CAs in our KeyStore