From e2b289726f3c1813f9fafecc94bc61a70dbdb899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 21 Apr 2015 20:37:19 +0200 Subject: Pinning connection to provider.json Using AndroidPinning library from Moxie, I make sure the provider.json file Bitmask downloads is fetched from a pinned https connection, so that the api certificate fingerprint is the good one. --- app/assets/urls/bitmask demo.url | 3 ++- app/assets/urls/calyx.url | 4 +++- app/assets/urls/riseup.url | 3 ++- 3 files changed, 7 insertions(+), 3 deletions(-) (limited to 'app/assets/urls') diff --git a/app/assets/urls/bitmask demo.url b/app/assets/urls/bitmask demo.url index 1a412055..81bdba52 100644 --- a/app/assets/urls/bitmask demo.url +++ b/app/assets/urls/bitmask demo.url @@ -1,3 +1,4 @@ { - "main_url" : "https://demo.bitmask.net/" + "main_url" : "https://demo.bitmask.net/", + "ca_cert_fingerprint" : "c3f9f39af6d42d1f201195dec918ac7603597049" } diff --git a/app/assets/urls/calyx.url b/app/assets/urls/calyx.url index 8de04fe9..9ae902f7 100644 --- a/app/assets/urls/calyx.url +++ b/app/assets/urls/calyx.url @@ -1,3 +1,5 @@ { - "main_url" : "https://calyx.net/" + "main_url" : "https://calyx.net/", + "ca_cert_fingerprint" : "98086aee17b5800acd0bdefe852e7c1ae72bd248" + } diff --git a/app/assets/urls/riseup.url b/app/assets/urls/riseup.url index 4548b433..e250e93f 100644 --- a/app/assets/urls/riseup.url +++ b/app/assets/urls/riseup.url @@ -1,3 +1,4 @@ { - "main_url" : "https://riseup.net/" + "main_url" : "https://riseup.net/", + "ca_cert_fingerprint" : "c429750763322fcc20b6402d7b508ba9e754b176" } -- cgit v1.2.3 From b0a0805ab81aaa4e204ecfc77d3a6a7f7ed66b2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Mon, 8 Jun 2015 19:56:43 +0200 Subject: s/buildtype/flavor, changed riseup's pin Riseup's EE certificate expired (EE = End-Entity, the commercial certificate signed by the issuer), and we weren't able to fetch provider.json because the pin wasn't valid. This problem needs to be avoided in the future, using HKPK (https://tools.ietf.org/html/rfc7469), which Micah's implementing on Riseup. Switching from build types from flavors enables us to run tests against production apk, not just debug. I didn't detect this pinning problem because tests were run only against the debug apk, which trusted preseeded providers by default (thus bypassing pinning issue). --- app/assets/urls/riseup.url | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/assets/urls') diff --git a/app/assets/urls/riseup.url b/app/assets/urls/riseup.url index e250e93f..4c565076 100644 --- a/app/assets/urls/riseup.url +++ b/app/assets/urls/riseup.url @@ -1,4 +1,4 @@ { "main_url" : "https://riseup.net/", - "ca_cert_fingerprint" : "c429750763322fcc20b6402d7b508ba9e754b176" + "ca_cert_fingerprint" : "aef7a642d7f8e046770521b354961a95cd4a76a8" } -- cgit v1.2.3