From c37149dec7dbc2ff2bccfa643792080c3c86ce18 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Wed, 25 Oct 2017 15:55:49 +0200 Subject: 8757 fixes session cookie handling by implementing okHttpClient and custom cookiejar, enables TLS 1.2 on old devices, restricts allowed cipher suites on new devices in order to harden tls based communication --- .../java/se/leap/bitmaskclient/ProviderAPI.java | 407 ++++++++++++++------- 1 file changed, 268 insertions(+), 139 deletions(-) (limited to 'app/src/insecure/java/se/leap/bitmaskclient') diff --git a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java index a1b1b383..4805456c 100644 --- a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java +++ b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java @@ -16,31 +16,89 @@ */ package se.leap.bitmaskclient; -import android.app.*; -import android.content.*; -import android.content.res.*; -import android.os.*; +import android.app.IntentService; +import android.content.Intent; +import android.content.SharedPreferences; +import android.content.res.Resources; +import android.os.Build; +import android.os.Bundle; +import android.os.ResultReceiver; +import android.support.annotation.NonNull; import android.util.Base64; -import org.json.*; -import org.thoughtcrime.ssl.pinning.util.*; - -import java.io.*; -import java.math.*; -import java.net.*; -import java.security.*; -import java.security.cert.*; -import java.security.interfaces.*; -import java.util.*; - -import javax.net.ssl.*; - -import se.leap.bitmaskclient.ProviderListContent.*; -import se.leap.bitmaskclient.eip.*; +import org.json.JSONException; +import org.json.JSONObject; +import org.thoughtcrime.ssl.pinning.util.PinningHelper; + +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.math.BigInteger; +import java.net.ConnectException; +import java.net.CookieHandler; +import java.net.MalformedURLException; +import java.net.SocketTimeoutException; +import java.net.URL; +import java.net.URLConnection; +import java.net.UnknownHostException; +import java.net.UnknownServiceException; +import java.security.KeyManagementException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.SecureRandom; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.NoSuchElementException; +import java.util.Scanner; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.KeyManager; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLHandshakeException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; + +import okhttp3.CipherSuite; +import okhttp3.ConnectionSpec; +import okhttp3.Cookie; +import okhttp3.CookieJar; +import okhttp3.HttpUrl; +import okhttp3.MediaType; +import okhttp3.OkHttpClient; +import okhttp3.Request; +import okhttp3.RequestBody; +import okhttp3.Response; +import okhttp3.TlsVersion; +import se.leap.bitmaskclient.ProviderListContent.ProviderItem; +import se.leap.bitmaskclient.eip.Constants; +import se.leap.bitmaskclient.eip.EIP; import se.leap.bitmaskclient.userstatus.SessionDialog; import se.leap.bitmaskclient.userstatus.User; import se.leap.bitmaskclient.userstatus.UserStatus; +import static se.leap.bitmaskclient.R.string.certificate_error; +import static se.leap.bitmaskclient.R.string.error_io_exception_user_message; +import static se.leap.bitmaskclient.R.string.error_json_exception_user_message; +import static se.leap.bitmaskclient.R.string.error_no_such_algorithm_exception_user_message; +import static se.leap.bitmaskclient.R.string.keyChainAccessError; +import static se.leap.bitmaskclient.R.string.malformed_url; +import static se.leap.bitmaskclient.R.string.server_unreachable_message; +import static se.leap.bitmaskclient.R.string.service_is_down_error; + /** * Implements HTTP api methods used to manage communications with the provider server. *

@@ -79,7 +137,8 @@ public class ProviderAPI extends IntentService { PROVIDER_OK = 11, PROVIDER_NOK = 12, CORRECTLY_DOWNLOADED_EIP_SERVICE = 13, - INCORRECTLY_DOWNLOADED_EIP_SERVICE = 14; + INCORRECTLY_DOWNLOADED_EIP_SERVICE = 14, + INITIALIZATION_ERROR = 15; private static boolean CA_CERT_DOWNLOADED = false, @@ -93,11 +152,15 @@ public class ProviderAPI extends IntentService { private static String provider_api_url; private static String provider_ca_cert_fingerprint; private Resources resources; - public static void stop() { go_ahead = false; } + private final MediaType JSON + = MediaType.parse("application/json; charset=utf-8"); + private OkHttpClient okHttpClient; + private String initializationError = null; + public ProviderAPI() { super(TAG); } @@ -106,10 +169,9 @@ public class ProviderAPI extends IntentService { public void onCreate() { super.onCreate(); - preferences = getSharedPreferences(Dashboard.SHARED_PREFERENCES, MODE_PRIVATE); resources = getResources(); - CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ORIGINAL_SERVER)); + initOkHttpClient(); } public static String lastProviderMainUrl() { @@ -120,13 +182,19 @@ public class ProviderAPI extends IntentService { return last_danger_on; } - private String formatErrorMessage(final int toast_string_id) { - return "{ \"" + ERRORS + "\" : \"" + getResources().getString(toast_string_id) + "\" }"; - } @Override protected void onHandleIntent(Intent command) { final ResultReceiver receiver = command.getParcelableExtra(RECEIVER_KEY); + + if (initializationError != null) { + Bundle result = new Bundle(); + result.putString(SessionDialog.ERRORS.INITIALIZATION_ERROR.toString(), initializationError); + result.putBoolean(RESULT_KEY, false); + receiver.send(INITIALIZATION_ERROR, result); + return; + } + String action = command.getAction(); Bundle parameters = command.getBundleExtra(PARAMETERS); if (provider_api_url == null && preferences.contains(Provider.KEY)) { @@ -190,6 +258,96 @@ public class ProviderAPI extends IntentService { } } + private String formatErrorMessage(final int toastStringId) { + return "{ \"" + ERRORS + "\" : \"" + getResources().getString(toastStringId) + "\" }"; + } + + private JSONObject getErrorMessageAsJson(final int toastStringId) { + try { + return new JSONObject(formatErrorMessage(toastStringId)); + } catch (JSONException e) { + e.printStackTrace(); + return new JSONObject(); + } + } + + private void initOkHttpClient() { + try { + + ConnectionSpec spec = getConnectionSpec(); + OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder(); + initSSLSocketFactory(clientBuilder); + clientBuilder.cookieJar(getCookieJar()) + .connectionSpecs(Collections.singletonList(spec)); + okHttpClient = clientBuilder.build(); + + } catch (IllegalStateException e) { + e.printStackTrace(); + //initializationError = String.format(formatErrorMessage(keyChainAccessError), e.getLocalizedMessage()); + initializationError = String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage()); + } catch (KeyStoreException e) { + e.printStackTrace(); + //initializationError = String.format(formatErrorMessage(keyChainAccessError), e.getLocalizedMessage()); + initializationError = String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage()); + } catch (KeyManagementException e) { + e.printStackTrace(); + //initializationError = String.format(formatErrorMessage(keyChainAccessError), e.getLocalizedMessage()); + initializationError = String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage()); + } catch (NoSuchAlgorithmException e) { + e.printStackTrace(); + //initializationError = formatErrorMessage(error_no_such_algorithm_exception_user_message); + initializationError = getResources().getString(error_no_such_algorithm_exception_user_message); + } catch (CertificateException e) { + e.printStackTrace(); + initializationError = getResources().getString(certificate_error); + } catch (UnknownHostException e) { + e.printStackTrace(); + initializationError = getResources().getString(server_unreachable_message); + } catch (IOException e) { + e.printStackTrace(); + initializationError = getResources().getString(error_io_exception_user_message); + } catch (NoSuchProviderException e) { + e.printStackTrace(); + } + } + + @NonNull + private ConnectionSpec getConnectionSpec() { + ConnectionSpec.Builder connectionSpecbuilder = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) + .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_3); + //FIXME: restrict connection further to the following recommended cipher suites for ALL supported API levels + //figure out how to use bcjsse for that purpose + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) + connectionSpecbuilder.cipherSuites( + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ); + return connectionSpecbuilder.build(); + } + + @NonNull + private CookieJar getCookieJar() { + return new CookieJar() { + private final HashMap> cookieStore = new HashMap<>(); + + @Override + public void saveFromResponse(HttpUrl url, List cookies) { + cookieStore.put(url.host(), cookies); + } + + @Override + public List loadForRequest(HttpUrl url) { + List cookies = cookieStore.get(url.host()); + return cookies != null ? cookies : new ArrayList(); + } + }; + } + + private Bundle tryToRegister(Bundle task) { Bundle result = new Bundle(); int progress = 0; @@ -310,20 +468,33 @@ public class ProviderAPI extends IntentService { } private Bundle authFailedNotification(JSONObject result, String username) { - Bundle user_notification_bundle = new Bundle(); - try { - JSONObject error_message = result.getJSONObject(ERRORS); - String error_type = error_message.keys().next().toString(); - String message = error_message.get(error_type).toString(); - user_notification_bundle.putString(getResources().getString(R.string.user_message), message); - } catch (JSONException e) { + Bundle userNotificationBundle = new Bundle(); + Object baseErrorMessage = result.opt(ERRORS); + if (baseErrorMessage != null) { + if (baseErrorMessage instanceof JSONObject) { + try { + JSONObject errorMessage = result.getJSONObject(ERRORS); + String errorType = errorMessage.keys().next().toString(); + String message = errorMessage.get(errorType).toString(); + userNotificationBundle.putString(getResources().getString(R.string.user_message), message); + } catch (JSONException e) { + e.printStackTrace(); + } + } else if (baseErrorMessage instanceof String) { + try { + String errorMessage = result.getString(ERRORS); + userNotificationBundle.putString(getResources().getString(R.string.user_message), errorMessage); + } catch (JSONException e) { + e.printStackTrace(); + } + } } if (!username.isEmpty()) - user_notification_bundle.putString(SessionDialog.USERNAME, username); - user_notification_bundle.putBoolean(RESULT_KEY, false); + userNotificationBundle.putString(SessionDialog.USERNAME, username); + userNotificationBundle.putBoolean(RESULT_KEY, false); - return user_notification_bundle; + return userNotificationBundle; } /** @@ -374,10 +545,8 @@ public class ProviderAPI extends IntentService { * @return response from authentication server */ private JSONObject sendAToSRPServer(String server_url, String username, String clientA) { - Map parameters = new HashMap(); - parameters.put("login", username); - parameters.put("A", clientA); - return sendToServer(server_url + "/sessions.json", "POST", parameters); + SrpCredentials srpCredentials = new SrpCredentials(username, clientA); + return sendToServer(server_url + "/sessions.json", "POST", srpCredentials.toString()); } /** @@ -389,10 +558,9 @@ public class ProviderAPI extends IntentService { * @return response from authentication server */ private JSONObject sendM1ToSRPServer(String server_url, String username, byte[] m1) { - Map parameters = new HashMap(); - parameters.put("client_auth", new BigInteger(1, ConfigHelper.trim(m1)).toString(16)); - return sendToServer(server_url + "/sessions/" + username + ".json", "PUT", parameters); + String m1json = "{\"client_auth\":\"" + new BigInteger(1, ConfigHelper.trim(m1)).toString(16)+ "\"}"; + return sendToServer(server_url + "/sessions/" + username + ".json", "PUT", m1json); } /** @@ -405,100 +573,52 @@ public class ProviderAPI extends IntentService { * @return response from authentication server */ private JSONObject sendNewUserDataToSRPServer(String server_url, String username, String salt, String password_verifier) { - Map parameters = new HashMap(); - parameters.put("user[login]", username); - parameters.put("user[password_salt]", salt); - parameters.put("user[password_verifier]", password_verifier); - return sendToServer(server_url + "/users.json", "POST", parameters); + return sendToServer(server_url + "/users.json", "POST", new SrpRegistrationData(username, salt, password_verifier).toString()); } - /** - * Executes an HTTP request expecting a JSON response. - * - * @param url - * @param request_method - * @param parameters - * @return response from authentication server - */ - private JSONObject sendToServer(String url, String request_method, Map parameters) { - JSONObject json_response; - HttpsURLConnection urlConnection = null; - try { - InputStream is = null; - urlConnection = (HttpsURLConnection) new URL(url).openConnection(); - urlConnection.setRequestMethod(request_method); - String locale = Locale.getDefault().getLanguage() + Locale.getDefault().getCountry(); - urlConnection.setRequestProperty("Accept-Language", locale); - urlConnection.setChunkedStreamingMode(0); - urlConnection.setSSLSocketFactory(getProviderSSLSocketFactory()); + private JSONObject sendToServer(String url, String request_method, String jsonString) { + Response response; + JSONObject responseJson = new JSONObject(); - DataOutputStream writer = new DataOutputStream(urlConnection.getOutputStream()); - writer.writeBytes(formatHttpParameters(parameters)); - writer.close(); + RequestBody jsonBody = RequestBody.create(JSON, jsonString); - is = urlConnection.getInputStream(); - String plain_response = new Scanner(is).useDelimiter("\\A").next(); - json_response = new JSONObject(plain_response); - } catch (IOException e) { - json_response = getErrorMessage(urlConnection); - e.printStackTrace(); - } catch (JSONException e) { - json_response = getErrorMessage(urlConnection); - e.printStackTrace(); - } catch (NoSuchAlgorithmException e) { - json_response = getErrorMessage(urlConnection); - e.printStackTrace(); - } catch (KeyManagementException e) { - json_response = getErrorMessage(urlConnection); - e.printStackTrace(); - } catch (KeyStoreException e) { - json_response = getErrorMessage(urlConnection); - e.printStackTrace(); - } catch (CertificateException e) { - json_response = getErrorMessage(urlConnection); - e.printStackTrace(); - } + Request request = new Request.Builder() + .url(url) + .method(request_method, jsonBody) + .build(); - return json_response; - } + try { + response = okHttpClient.newCall(request).execute(); - private JSONObject getErrorMessage(HttpsURLConnection urlConnection) { - JSONObject error_message = new JSONObject(); - if (urlConnection != null) { - InputStream error_stream = urlConnection.getErrorStream(); - if (error_stream != null) { - String error_response = new Scanner(error_stream).useDelimiter("\\A").next(); - try { - error_message = new JSONObject(error_response); - } catch (JSONException e) { - e.printStackTrace(); - } - urlConnection.disconnect(); + InputStream inputStream = response.body().byteStream(); + Scanner scanner = new Scanner(inputStream).useDelimiter("\\A"); + if (scanner.hasNext()) { + String plain_response = scanner.next(); + responseJson = new JSONObject(plain_response); } - } - return error_message; - } - - private String formatHttpParameters(Map parameters) throws UnsupportedEncodingException { - StringBuilder result = new StringBuilder(); - boolean first = true; - Iterator parameter_iterator = parameters.keySet().iterator(); - while (parameter_iterator.hasNext()) { - if (first) - first = false; - else - result.append("&&"); - - String key = parameter_iterator.next(); - String value = parameters.get(key); - - result.append(URLEncoder.encode(key, "UTF-8")); - result.append("="); - result.append(URLEncoder.encode(value, "UTF-8")); + } catch (JSONException e) { + responseJson = getErrorMessageAsJson(error_json_exception_user_message); + } catch (NullPointerException npe) { + responseJson = getErrorMessageAsJson(error_json_exception_user_message); + } catch (UnknownHostException e) { + responseJson = getErrorMessageAsJson(server_unreachable_message); + } catch (MalformedURLException e) { + responseJson = getErrorMessageAsJson(malformed_url); + } catch (SocketTimeoutException e) { + responseJson = getErrorMessageAsJson(server_unreachable_message); + } catch (SSLHandshakeException e) { + responseJson = getErrorMessageAsJson(certificate_error); + } catch (ConnectException e) { + responseJson = getErrorMessageAsJson(service_is_down_error); + } catch (UnknownServiceException e) { + //unable to find acceptable protocols - tlsv1.2 not enabled? + responseJson = getErrorMessageAsJson(error_no_such_algorithm_exception_user_message); + } catch (IOException e) { + responseJson = getErrorMessageAsJson(error_io_exception_user_message); } - return result.toString(); + return responseJson; } @@ -561,7 +681,7 @@ public class ProviderAPI extends IntentService { result.putBoolean(RESULT_KEY, false); } } catch (JSONException e) { - String reason_to_fail = formatErrorMessage(R.string.malformed_url); + String reason_to_fail = formatErrorMessage(malformed_url); result.putString(ERRORS, reason_to_fail); result.putBoolean(RESULT_KEY, false); } @@ -705,7 +825,7 @@ public class ProviderAPI extends IntentService { result = danger_on ? downloadWithoutCA(url_string) : formatErrorMessage(R.string.error_security_pinnedcertificate); } else - result = formatErrorMessage(R.string.error_io_exception_user_message); + result = formatErrorMessage(error_io_exception_user_message); } return result; @@ -735,19 +855,19 @@ public class ProviderAPI extends IntentService { url_connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token = " + LeapSRPSession.getToken()); json_file_content = new Scanner(url_connection.getInputStream()).useDelimiter("\\A").next(); } catch (MalformedURLException e) { - json_file_content = formatErrorMessage(R.string.malformed_url); + json_file_content = formatErrorMessage(malformed_url); } catch (SocketTimeoutException e) { - json_file_content = formatErrorMessage(R.string.server_unreachable_message); + json_file_content = formatErrorMessage(server_unreachable_message); } catch (SSLHandshakeException e) { if (provider_url != null) { json_file_content = downloadWithProviderCA(string_url, danger_on); } else { - json_file_content = formatErrorMessage(R.string.certificate_error); + json_file_content = formatErrorMessage(certificate_error); } } catch (ConnectException e) { - json_file_content = formatErrorMessage(R.string.service_is_down_error); + json_file_content = formatErrorMessage(service_is_down_error); } catch (FileNotFoundException e) { - json_file_content = formatErrorMessage(R.string.malformed_url); + json_file_content = formatErrorMessage(malformed_url); } catch (Exception e) { if (provider_url != null && danger_on) { json_file_content = downloadWithProviderCA(string_url, danger_on); @@ -764,6 +884,7 @@ public class ProviderAPI extends IntentService { * @param danger_on true to download CA certificate in case it has not been downloaded. * @return an empty string if it fails, the url content if not. */ + //FIXME: refactor and use okHttpClient instead! private String downloadWithProviderCA(String url_string, boolean danger_on) { String json_file_content = ""; @@ -781,13 +902,13 @@ public class ProviderAPI extends IntentService { e.printStackTrace(); } catch (UnknownHostException e) { e.printStackTrace(); - json_file_content = formatErrorMessage(R.string.server_unreachable_message); + json_file_content = formatErrorMessage(server_unreachable_message); } catch (IOException e) { // The downloaded certificate doesn't validate our https connection. if (danger_on) { json_file_content = downloadWithoutCA(url_string); } else { - json_file_content = formatErrorMessage(R.string.certificate_error); + json_file_content = formatErrorMessage(certificate_error); } } catch (KeyStoreException e) { // TODO Auto-generated catch block @@ -800,11 +921,12 @@ public class ProviderAPI extends IntentService { e.printStackTrace(); } catch (NoSuchElementException e) { e.printStackTrace(); - json_file_content = formatErrorMessage(R.string.server_unreachable_message); + json_file_content = formatErrorMessage(server_unreachable_message); } return json_file_content; } + @Deprecated private javax.net.ssl.SSLSocketFactory getProviderSSLSocketFactory() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException { String provider_cert_string = preferences.getString(Provider.CA_CERT, ""); @@ -828,9 +950,15 @@ public class ProviderAPI extends IntentService { return context.getSocketFactory(); } + private void initSSLSocketFactory(OkHttpClient.Builder builder) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, IllegalStateException, NoSuchProviderException { + TLSCompatSocketFactory sslCompatFactory = new TLSCompatSocketFactory(preferences.getString(Provider.CA_CERT, "")); + sslCompatFactory.initSSLSocketFactory(builder); + } + /** * Downloads the string that's in the url with any certificate. */ + // FIXME: refactor and use okHttpClient instead! private String downloadWithoutCA(String url_string) { String string = ""; try { @@ -869,11 +997,11 @@ public class ProviderAPI extends IntentService { System.out.println("String ignoring certificate = " + string); } catch (FileNotFoundException e) { e.printStackTrace(); - string = formatErrorMessage(R.string.malformed_url); + string = formatErrorMessage(malformed_url); } catch (IOException e) { // The downloaded certificate doesn't validate our https connection. e.printStackTrace(); - string = formatErrorMessage(R.string.certificate_error); + string = formatErrorMessage(certificate_error); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); @@ -889,6 +1017,7 @@ public class ProviderAPI extends IntentService { * * @return true if there were no exceptions */ + //FIXME: refactor and use okHttpClient instead! private boolean logOut() { String delete_url = provider_api_url + "/logout"; -- cgit v1.2.3 From 68bc106ee872b13830dfa5fa9794f7cecb306d8e Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sat, 28 Oct 2017 20:41:05 +0200 Subject: #8757 refactores ProviderAPI for insecure flavor, fixes tests, renames confusing constants, updates robotium --- .../java/se/leap/bitmaskclient/ProviderAPI.java | 419 ++++++++++----------- 1 file changed, 199 insertions(+), 220 deletions(-) (limited to 'app/src/insecure/java/se/leap/bitmaskclient') diff --git a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java index 4805456c..52ca89eb 100644 --- a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java +++ b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java @@ -25,6 +25,8 @@ import android.os.Bundle; import android.os.ResultReceiver; import android.support.annotation.NonNull; import android.util.Base64; +import android.util.Log; +import android.util.Pair; import org.json.JSONException; import org.json.JSONObject; @@ -35,15 +37,12 @@ import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.net.ConnectException; -import java.net.CookieHandler; import java.net.MalformedURLException; import java.net.SocketTimeoutException; import java.net.URL; -import java.net.URLConnection; import java.net.UnknownHostException; import java.net.UnknownServiceException; import java.security.KeyManagementException; -import java.security.KeyStore; import java.security.KeyStoreException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -54,11 +53,9 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPrivateKey; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collections; import java.util.HashMap; import java.util.List; -import java.util.NoSuchElementException; import java.util.Scanner; import javax.net.ssl.HostnameVerifier; @@ -67,9 +64,7 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLSession; -import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import okhttp3.CipherSuite; @@ -106,6 +101,7 @@ import static se.leap.bitmaskclient.R.string.service_is_down_error; * * @author parmegv * @author MeanderingCode + * @author cyberta */ public class ProviderAPI extends IntentService { @@ -121,6 +117,7 @@ public class ProviderAPI extends IntentService { RESULT_KEY = "result", RECEIVER_KEY = "receiver", ERRORS = "errors", + ERROR = "error", UPDATE_PROGRESSBAR = "update_progressbar", CURRENT_PROGRESS = "current_progress", DOWNLOAD_EIP_SERVICE = TAG + ".DOWNLOAD_EIP_SERVICE"; @@ -137,8 +134,7 @@ public class ProviderAPI extends IntentService { PROVIDER_OK = 11, PROVIDER_NOK = 12, CORRECTLY_DOWNLOADED_EIP_SERVICE = 13, - INCORRECTLY_DOWNLOADED_EIP_SERVICE = 14, - INITIALIZATION_ERROR = 15; + INCORRECTLY_DOWNLOADED_EIP_SERVICE = 14; private static boolean CA_CERT_DOWNLOADED = false, @@ -158,8 +154,6 @@ public class ProviderAPI extends IntentService { private final MediaType JSON = MediaType.parse("application/json; charset=utf-8"); - private OkHttpClient okHttpClient; - private String initializationError = null; public ProviderAPI() { super(TAG); @@ -171,7 +165,6 @@ public class ProviderAPI extends IntentService { preferences = getSharedPreferences(Dashboard.SHARED_PREFERENCES, MODE_PRIVATE); resources = getResources(); - initOkHttpClient(); } public static String lastProviderMainUrl() { @@ -187,14 +180,6 @@ public class ProviderAPI extends IntentService { protected void onHandleIntent(Intent command) { final ResultReceiver receiver = command.getParcelableExtra(RECEIVER_KEY); - if (initializationError != null) { - Bundle result = new Bundle(); - result.putString(SessionDialog.ERRORS.INITIALIZATION_ERROR.toString(), initializationError); - result.putBoolean(RESULT_KEY, false); - receiver.send(INITIALIZATION_ERROR, result); - return; - } - String action = command.getAction(); Bundle parameters = command.getBundleExtra(PARAMETERS); if (provider_api_url == null && preferences.contains(Provider.KEY)) { @@ -259,7 +244,11 @@ public class ProviderAPI extends IntentService { } private String formatErrorMessage(final int toastStringId) { - return "{ \"" + ERRORS + "\" : \"" + getResources().getString(toastStringId) + "\" }"; + return formatErrorMessage(getResources().getString(toastStringId)); + } + + private String formatErrorMessage(String errorMessage) { + return "{ \"" + ERRORS + "\" : \"" + errorMessage + "\" }"; } private JSONObject getErrorMessageAsJson(final int toastStringId) { @@ -271,44 +260,62 @@ public class ProviderAPI extends IntentService { } } - private void initOkHttpClient() { + private JSONObject getErrorMessageAsJson(String message) { try { + return new JSONObject(formatErrorMessage(message)); + } catch (JSONException e) { + e.printStackTrace(); + return new JSONObject(); + } + } + private OkHttpClient initHttpClient(JSONObject initError, boolean isSelfSigned) { + try { + TLSCompatSocketFactory sslCompatFactory; ConnectionSpec spec = getConnectionSpec(); OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder(); - initSSLSocketFactory(clientBuilder); + if (isSelfSigned) { + sslCompatFactory = new TLSCompatSocketFactory(preferences.getString(Provider.CA_CERT, "")); + + } else { + sslCompatFactory = new TLSCompatSocketFactory(); + } + sslCompatFactory.initSSLSocketFactory(clientBuilder); clientBuilder.cookieJar(getCookieJar()) .connectionSpecs(Collections.singletonList(spec)); - okHttpClient = clientBuilder.build(); - + return clientBuilder.build(); } catch (IllegalStateException e) { e.printStackTrace(); - //initializationError = String.format(formatErrorMessage(keyChainAccessError), e.getLocalizedMessage()); - initializationError = String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage()); + initError = getErrorMessageAsJson(String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage())); } catch (KeyStoreException e) { e.printStackTrace(); - //initializationError = String.format(formatErrorMessage(keyChainAccessError), e.getLocalizedMessage()); - initializationError = String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage()); + initError = getErrorMessageAsJson(String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage())); } catch (KeyManagementException e) { e.printStackTrace(); - //initializationError = String.format(formatErrorMessage(keyChainAccessError), e.getLocalizedMessage()); - initializationError = String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage()); + initError = getErrorMessageAsJson(String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage())); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); - //initializationError = formatErrorMessage(error_no_such_algorithm_exception_user_message); - initializationError = getResources().getString(error_no_such_algorithm_exception_user_message); + initError = getErrorMessageAsJson(getResources().getString(error_no_such_algorithm_exception_user_message)); } catch (CertificateException e) { e.printStackTrace(); - initializationError = getResources().getString(certificate_error); + initError = getErrorMessageAsJson(getResources().getString(certificate_error)); } catch (UnknownHostException e) { e.printStackTrace(); - initializationError = getResources().getString(server_unreachable_message); + initError = getErrorMessageAsJson(getResources().getString(server_unreachable_message)); } catch (IOException e) { e.printStackTrace(); - initializationError = getResources().getString(error_io_exception_user_message); + initError = getErrorMessageAsJson(getResources().getString(error_io_exception_user_message)); } catch (NoSuchProviderException e) { e.printStackTrace(); } + return null; + } + private OkHttpClient initCommercialCAHttpClient(JSONObject initError) { + return initHttpClient(initError, false); + } + + private OkHttpClient initSelfSignedCAHttpClient(JSONObject initError) { + return initHttpClient(initError, true); } @NonNull @@ -374,16 +381,22 @@ public class ProviderAPI extends IntentService { } private Bundle register(String username, String password) { + JSONObject stepResult = null; + OkHttpClient okHttpClient = initSelfSignedCAHttpClient(stepResult); + if (okHttpClient == null) { + return authFailedNotification(stepResult, username); + } + LeapSRPSession client = new LeapSRPSession(username, password); byte[] salt = client.calculateNewSalt(); BigInteger password_verifier = client.calculateV(username, password, salt); - JSONObject api_result = sendNewUserDataToSRPServer(provider_api_url, username, new BigInteger(1, salt).toString(16), password_verifier.toString(16)); + stepResult = sendNewUserDataToSRPServer(provider_api_url, username, new BigInteger(1, salt).toString(16), password_verifier.toString(16), okHttpClient); Bundle result = new Bundle(); - if (api_result.has(ERRORS)) - result = authFailedNotification(api_result, username); + if (stepResult.has(ERRORS)) + result = authFailedNotification(stepResult, username); else { result.putString(SessionDialog.USERNAME, username); result.putString(SessionDialog.PASSWORD, password); @@ -426,23 +439,28 @@ public class ProviderAPI extends IntentService { private Bundle authenticate(String username, String password) { Bundle result = new Bundle(); + JSONObject stepResult = new JSONObject(); + OkHttpClient okHttpClient = initSelfSignedCAHttpClient(stepResult); + if (okHttpClient == null) { + return authFailedNotification(stepResult, username); + } LeapSRPSession client = new LeapSRPSession(username, password); byte[] A = client.exponential(); - JSONObject step_result = sendAToSRPServer(provider_api_url, username, new BigInteger(1, A).toString(16)); + stepResult = sendAToSRPServer(provider_api_url, username, new BigInteger(1, A).toString(16), okHttpClient); try { - String salt = step_result.getString(LeapSRPSession.SALT); - byte[] Bbytes = new BigInteger(step_result.getString("B"), 16).toByteArray(); + String salt = stepResult.getString(LeapSRPSession.SALT); + byte[] Bbytes = new BigInteger(stepResult.getString("B"), 16).toByteArray(); byte[] M1 = client.response(new BigInteger(salt, 16).toByteArray(), Bbytes); if (M1 != null) { - step_result = sendM1ToSRPServer(provider_api_url, username, M1); - setTokenIfAvailable(step_result); - byte[] M2 = new BigInteger(step_result.getString(LeapSRPSession.M2), 16).toByteArray(); + stepResult = sendM1ToSRPServer(provider_api_url, username, M1, okHttpClient); + setTokenIfAvailable(stepResult); + byte[] M2 = new BigInteger(stepResult.getString(LeapSRPSession.M2), 16).toByteArray(); if (client.verify(M2)) { result.putBoolean(RESULT_KEY, true); } else { - authFailedNotification(step_result, username); + authFailedNotification(stepResult, username); } } else { result.putBoolean(RESULT_KEY, false); @@ -450,7 +468,7 @@ public class ProviderAPI extends IntentService { result.putString(getResources().getString(R.string.user_message), getResources().getString(R.string.error_srp_math_error_user_message)); } } catch (JSONException e) { - result = authFailedNotification(step_result, username); + result = authFailedNotification(stepResult, username); e.printStackTrace(); } @@ -460,8 +478,7 @@ public class ProviderAPI extends IntentService { private boolean setTokenIfAvailable(JSONObject authentication_step_result) { try { LeapSRPSession.setToken(authentication_step_result.getString(LeapSRPSession.TOKEN)); - CookieHandler.setDefault(null); // we don't need cookies anymore - } catch (JSONException e) { // + } catch (JSONException e) { return false; } return true; @@ -542,11 +559,12 @@ public class ProviderAPI extends IntentService { * @param server_url * @param username * @param clientA First SRP parameter sent + * @param okHttpClient * @return response from authentication server */ - private JSONObject sendAToSRPServer(String server_url, String username, String clientA) { + private JSONObject sendAToSRPServer(String server_url, String username, String clientA, OkHttpClient okHttpClient) { SrpCredentials srpCredentials = new SrpCredentials(username, clientA); - return sendToServer(server_url + "/sessions.json", "POST", srpCredentials.toString()); + return sendToServer(server_url + "/sessions.json", "POST", srpCredentials.toString(), okHttpClient); } /** @@ -555,12 +573,13 @@ public class ProviderAPI extends IntentService { * @param server_url * @param username * @param m1 Second SRP parameter sent + * @param okHttpClient * @return response from authentication server */ - private JSONObject sendM1ToSRPServer(String server_url, String username, byte[] m1) { + private JSONObject sendM1ToSRPServer(String server_url, String username, byte[] m1, OkHttpClient okHttpClient) { String m1json = "{\"client_auth\":\"" + new BigInteger(1, ConfigHelper.trim(m1)).toString(16)+ "\"}"; - return sendToServer(server_url + "/sessions/" + username + ".json", "PUT", m1json); + return sendToServer(server_url + "/sessions/" + username + ".json", "PUT", m1json, okHttpClient); } /** @@ -572,20 +591,48 @@ public class ProviderAPI extends IntentService { * @param password_verifier * @return response from authentication server */ - private JSONObject sendNewUserDataToSRPServer(String server_url, String username, String salt, String password_verifier) { - return sendToServer(server_url + "/users.json", "POST", new SrpRegistrationData(username, salt, password_verifier).toString()); + private JSONObject sendNewUserDataToSRPServer(String server_url, String username, String salt, String password_verifier, OkHttpClient okHttpClient) { + return sendToServer(server_url + "/users.json", "POST", new SrpRegistrationData(username, salt, password_verifier).toString(), okHttpClient); } - private JSONObject sendToServer(String url, String request_method, String jsonString) { - Response response; - JSONObject responseJson = new JSONObject(); + private JSONObject sendToServer(String url, String request_method, String jsonString, OkHttpClient okHttpClient) { + return requestJsonFromServer(url, request_method, jsonString, null, okHttpClient); + } + + private String sendGetStringToServer(String url, List> headerArgs, OkHttpClient okHttpClient) { + return requestStringFromServer(url, "GET", null, headerArgs, okHttpClient); + } + + + + private JSONObject requestJsonFromServer(String url, String request_method, String jsonString, List> headerArgs, @NonNull OkHttpClient okHttpClient) { + JSONObject responseJson; + String plain_response = requestStringFromServer(url, request_method, jsonString, headerArgs, okHttpClient); + + try { + responseJson = new JSONObject(plain_response); + } catch (JSONException e) { + e.printStackTrace(); + responseJson = getErrorMessageAsJson(error_json_exception_user_message); + } + return responseJson; - RequestBody jsonBody = RequestBody.create(JSON, jsonString); + } + + private String requestStringFromServer(String url, String request_method, String jsonString, List> headerArgs, @NonNull OkHttpClient okHttpClient) { + Response response; + String plainResponseBody = null; - Request request = new Request.Builder() + RequestBody jsonBody = jsonString != null ? RequestBody.create(JSON, jsonString) : null; + Request.Builder requestBuilder = new Request.Builder() .url(url) - .method(request_method, jsonBody) - .build(); + .method(request_method, jsonBody); + if (headerArgs != null) { + for (Pair keyValPair : headerArgs) { + requestBuilder.addHeader(keyValPair.first, keyValPair.second); + } + } + Request request = requestBuilder.build(); try { response = okHttpClient.newCall(request).execute(); @@ -593,35 +640,33 @@ public class ProviderAPI extends IntentService { InputStream inputStream = response.body().byteStream(); Scanner scanner = new Scanner(inputStream).useDelimiter("\\A"); if (scanner.hasNext()) { - String plain_response = scanner.next(); - responseJson = new JSONObject(plain_response); + plainResponseBody = scanner.next(); } - } catch (JSONException e) { - responseJson = getErrorMessageAsJson(error_json_exception_user_message); } catch (NullPointerException npe) { - responseJson = getErrorMessageAsJson(error_json_exception_user_message); + plainResponseBody = formatErrorMessage(error_json_exception_user_message); } catch (UnknownHostException e) { - responseJson = getErrorMessageAsJson(server_unreachable_message); + plainResponseBody = formatErrorMessage(server_unreachable_message); } catch (MalformedURLException e) { - responseJson = getErrorMessageAsJson(malformed_url); + plainResponseBody = formatErrorMessage(malformed_url); } catch (SocketTimeoutException e) { - responseJson = getErrorMessageAsJson(server_unreachable_message); + plainResponseBody = formatErrorMessage(server_unreachable_message); } catch (SSLHandshakeException e) { - responseJson = getErrorMessageAsJson(certificate_error); + plainResponseBody = formatErrorMessage(certificate_error); } catch (ConnectException e) { - responseJson = getErrorMessageAsJson(service_is_down_error); + plainResponseBody = formatErrorMessage(service_is_down_error); + } catch (IllegalArgumentException e) { + plainResponseBody = formatErrorMessage(error_no_such_algorithm_exception_user_message); } catch (UnknownServiceException e) { //unable to find acceptable protocols - tlsv1.2 not enabled? - responseJson = getErrorMessageAsJson(error_no_such_algorithm_exception_user_message); + plainResponseBody = formatErrorMessage(error_no_such_algorithm_exception_user_message); } catch (IOException e) { - responseJson = getErrorMessageAsJson(error_io_exception_user_message); + plainResponseBody = formatErrorMessage(error_io_exception_user_message); } - return responseJson; + return plainResponseBody; } - /** * Downloads a provider.json from a given URL, adding a new provider using the given name. * @@ -808,13 +853,13 @@ public class ProviderAPI extends IntentService { return error_message; } - private String downloadWithCommercialCA(String url_string, boolean danger_on, String ca_cert_fingerprint) { + //TODO: refactor with ticket #8773 + private String downloadWithCommercialCA(String urlString, boolean dangerOn, String caCertFingerprint) { String result = ""; - int seconds_of_timeout = 2; - String[] pins = new String[] {ca_cert_fingerprint}; + String[] pins = new String[] {caCertFingerprint}; try { - URL url = new URL(url_string); + URL url = new URL(urlString); HttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(getApplicationContext(), pins, url); connection.setConnectTimeout(seconds_of_timeout * 1000); if (!LeapSRPSession.getToken().isEmpty()) @@ -822,7 +867,7 @@ public class ProviderAPI extends IntentService { result = new Scanner(connection.getInputStream()).useDelimiter("\\A").next(); } catch (IOException e) { if(e instanceof SSLHandshakeException) { - result = danger_on ? downloadWithoutCA(url_string) : + result = dangerOn ? downloadWithoutCA(urlString) : formatErrorMessage(R.string.error_security_pinnedcertificate); } else result = formatErrorMessage(error_io_exception_user_message); @@ -841,124 +886,83 @@ public class ProviderAPI extends IntentService { * @return */ private String downloadWithCommercialCA(String string_url, boolean danger_on) { + String responseString; + JSONObject errorJson = new JSONObject(); + + OkHttpClient okHttpClient = initCommercialCAHttpClient(errorJson); + if (okHttpClient == null) { + return errorJson.toString(); + } - String json_file_content = ""; + List> headerArgs = getAuthorizationHeader(); - URL provider_url = null; - int seconds_of_timeout = 2; - try { - provider_url = new URL(string_url); - URLConnection url_connection = provider_url.openConnection(); + responseString = sendGetStringToServer(string_url, headerArgs, okHttpClient); - url_connection.setConnectTimeout(seconds_of_timeout * 1000); - if (!LeapSRPSession.getToken().isEmpty()) - url_connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token = " + LeapSRPSession.getToken()); - json_file_content = new Scanner(url_connection.getInputStream()).useDelimiter("\\A").next(); - } catch (MalformedURLException e) { - json_file_content = formatErrorMessage(malformed_url); - } catch (SocketTimeoutException e) { - json_file_content = formatErrorMessage(server_unreachable_message); - } catch (SSLHandshakeException e) { - if (provider_url != null) { - json_file_content = downloadWithProviderCA(string_url, danger_on); - } else { - json_file_content = formatErrorMessage(certificate_error); - } - } catch (ConnectException e) { - json_file_content = formatErrorMessage(service_is_down_error); - } catch (FileNotFoundException e) { - json_file_content = formatErrorMessage(malformed_url); - } catch (Exception e) { - if (provider_url != null && danger_on) { - json_file_content = downloadWithProviderCA(string_url, danger_on); + if (responseString.contains(ERRORS)) { + try { + // try to download with provider CA on certificate error + JSONObject responseErrorJson = new JSONObject(responseString); + if (danger_on && responseErrorJson.getString(ERRORS).equals(getString(R.string.certificate_error))) { + responseString = downloadWithProviderCA(string_url, danger_on); + } + } catch (JSONException e) { + e.printStackTrace(); } } - return json_file_content; + return responseString; + } + + @NonNull + private List> getAuthorizationHeader() { + List> headerArgs = new ArrayList<>(); + if (!LeapSRPSession.getToken().isEmpty()) { + Pair authorizationHeaderPair = new Pair<>(LeapSRPSession.AUTHORIZATION_HEADER, "Token token=" + LeapSRPSession.getToken()); + headerArgs.add(authorizationHeaderPair); + } + return headerArgs; } /** * Tries to download the contents of the provided url using not commercially validated CA certificate from chosen provider. * - * @param url_string as a string - * @param danger_on true to download CA certificate in case it has not been downloaded. + * @param urlString as a string + * @param dangerOn true to download CA certificate in case it has not been downloaded. * @return an empty string if it fails, the url content if not. */ - //FIXME: refactor and use okHttpClient instead! - private String downloadWithProviderCA(String url_string, boolean danger_on) { - String json_file_content = ""; - - try { - URL url = new URL(url_string); - // Tell the URLConnection to use a SocketFactory from our SSLContext - HttpsURLConnection urlConnection = - (HttpsURLConnection) url.openConnection(); - urlConnection.setSSLSocketFactory(getProviderSSLSocketFactory()); - if (!LeapSRPSession.getToken().isEmpty()) - urlConnection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token=" + LeapSRPSession.getToken()); - json_file_content = new Scanner(urlConnection.getInputStream()).useDelimiter("\\A").next(); - } catch (CertificateException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (UnknownHostException e) { - e.printStackTrace(); - json_file_content = formatErrorMessage(server_unreachable_message); - } catch (IOException e) { - // The downloaded certificate doesn't validate our https connection. - if (danger_on) { - json_file_content = downloadWithoutCA(url_string); - } else { - json_file_content = formatErrorMessage(certificate_error); - } - } catch (KeyStoreException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (NoSuchAlgorithmException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (KeyManagementException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (NoSuchElementException e) { - e.printStackTrace(); - json_file_content = formatErrorMessage(server_unreachable_message); + private String downloadWithProviderCA(String urlString, boolean dangerOn) { + Log.d(TAG, "download with providerCA: " + urlString); + JSONObject initError = new JSONObject(); + String responseString; + + OkHttpClient okHttpClient = initSelfSignedCAHttpClient(initError); + if (okHttpClient == null) { + return initError.toString(); } - return json_file_content; - } - - @Deprecated - private javax.net.ssl.SSLSocketFactory getProviderSSLSocketFactory() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException { - String provider_cert_string = preferences.getString(Provider.CA_CERT, ""); - - java.security.cert.Certificate provider_certificate = ConfigHelper.parseX509CertificateFromString(provider_cert_string); - // Create a KeyStore containing our trusted CAs - String keyStoreType = KeyStore.getDefaultType(); - KeyStore keyStore = KeyStore.getInstance(keyStoreType); - keyStore.load(null, null); - keyStore.setCertificateEntry("provider_ca_certificate", provider_certificate); + List> headerArgs = getAuthorizationHeader(); - // Create a TrustManager that trusts the CAs in our KeyStore - String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); - TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); - tmf.init(keyStore); + responseString = sendGetStringToServer(urlString, headerArgs, okHttpClient); - // Create an SSLContext that uses our TrustManager - SSLContext context = SSLContext.getInstance("TLS"); - context.init(null, tmf.getTrustManagers(), null); - - return context.getSocketFactory(); - } + if (responseString.contains(ERRORS)) { + try { + // danger danger: try to download without CA on certificate error + JSONObject responseErrorJson = new JSONObject(responseString); + if (dangerOn && responseErrorJson.getString(ERRORS).equals(getString(R.string.certificate_error))) { + responseString = downloadWithoutCA(urlString); + } + } catch (JSONException e) { + e.printStackTrace(); + } + } - private void initSSLSocketFactory(OkHttpClient.Builder builder) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, IllegalStateException, NoSuchProviderException { - TLSCompatSocketFactory sslCompatFactory = new TLSCompatSocketFactory(preferences.getString(Provider.CA_CERT, "")); - sslCompatFactory.initSSLSocketFactory(builder); + return responseString; } /** * Downloads the string that's in the url with any certificate. */ - // FIXME: refactor and use okHttpClient instead! + // This method is totally insecure anyways. So no need to refactor that in order to use okHttpClient, force modern TLS etc.. DO NOT USE IN PRODUCTION! private String downloadWithoutCA(String url_string) { String string = ""; try { @@ -1017,55 +1021,31 @@ public class ProviderAPI extends IntentService { * * @return true if there were no exceptions */ - //FIXME: refactor and use okHttpClient instead! private boolean logOut() { - String delete_url = provider_api_url + "/logout"; - HttpsURLConnection urlConnection = null; - int responseCode = 0; + OkHttpClient okHttpClient = initSelfSignedCAHttpClient(new JSONObject()); + if (okHttpClient == null) { + return false; + } + + String deleteUrl = provider_api_url + "/logout"; int progress = 0; - try { - urlConnection = (HttpsURLConnection) new URL(delete_url).openConnection(); - urlConnection.setRequestMethod("DELETE"); - urlConnection.setSSLSocketFactory(getProviderSSLSocketFactory()); + Request.Builder requestBuilder = new Request.Builder() + .url(deleteUrl) + .delete(); + Request request = requestBuilder.build(); - responseCode = urlConnection.getResponseCode(); - broadcastProgress(progress++); - LeapSRPSession.setToken(""); - } catch (IndexOutOfBoundsException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - return false; - } catch (IOException e) { - // TODO Auto-generated catch block - try { - if (urlConnection != null) { - responseCode = urlConnection.getResponseCode(); - if (responseCode == 401) { - broadcastProgress(progress++); - LeapSRPSession.setToken(""); - return true; - } - } - } catch (IOException e1) { - e1.printStackTrace(); + try { + Response response = okHttpClient.newCall(request).execute(); + // v---- was already not authorized + if (response.isSuccessful() || response.code() == 401) { + broadcastProgress(progress++); + LeapSRPSession.setToken(""); } - e.printStackTrace(); + } catch (IOException e) { return false; - } catch (KeyManagementException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (KeyStoreException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (NoSuchAlgorithmException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (CertificateException e) { - // TODO Auto-generated catch block - e.printStackTrace(); } return true; } @@ -1080,11 +1060,10 @@ public class ProviderAPI extends IntentService { JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); String provider_main_url = provider_json.getString(Provider.API_URL); - URL new_cert_string_url = new URL(provider_main_url + "/" + provider_json.getString(Provider.API_VERSION) + "/" + Constants.CERTIFICATE); + URL new_cert_string_url = new URL(provider_main_url + "/" + provider_json.getString(Provider.API_VERSION) + "/" + Constants.VPN_CERTIFICATE); boolean danger_on = preferences.getBoolean(ProviderItem.DANGER_ON, false); - String cert_string = downloadWithProviderCA(new_cert_string_url.toString(), danger_on); if (cert_string.isEmpty() || ConfigHelper.checkErroneousDownload(cert_string)) @@ -1121,7 +1100,7 @@ public class ProviderAPI extends IntentService { X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(certificateString); certificateString = Base64.encodeToString(certCert.getEncoded(), Base64.DEFAULT); - preferences.edit().putString(Constants.CERTIFICATE, "-----BEGIN CERTIFICATE-----\n" + certificateString + "-----END CERTIFICATE-----").commit(); + preferences.edit().putString(Constants.VPN_CERTIFICATE, "-----BEGIN CERTIFICATE-----\n" + certificateString + "-----END CERTIFICATE-----").commit(); return true; } catch (CertificateException e) { -- cgit v1.2.3 From dc0a4511dfd54135aeb1e87dac55ed5644e5ae6b Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 29 Oct 2017 17:08:02 +0100 Subject: #8757 refactores ProviderAPI for production flavor --- app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'app/src/insecure/java/se/leap/bitmaskclient') diff --git a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java index 52ca89eb..17e75ce4 100644 --- a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java +++ b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java @@ -307,6 +307,7 @@ public class ProviderAPI extends IntentService { initError = getErrorMessageAsJson(getResources().getString(error_io_exception_user_message)); } catch (NoSuchProviderException e) { e.printStackTrace(); + initError = getErrorMessageAsJson(getResources().getString(error_no_such_algorithm_exception_user_message)); } return null; } @@ -632,6 +633,9 @@ public class ProviderAPI extends IntentService { requestBuilder.addHeader(keyValPair.first, keyValPair.second); } } + //TODO: move to getHeaderArgs()? + String locale = Locale.getDefault().getLanguage() + Locale.getDefault().getCountry(); + requestBuilder.addHeader("Accept-Language", locale); Request request = requestBuilder.build(); try { @@ -931,7 +935,6 @@ public class ProviderAPI extends IntentService { * @return an empty string if it fails, the url content if not. */ private String downloadWithProviderCA(String urlString, boolean dangerOn) { - Log.d(TAG, "download with providerCA: " + urlString); JSONObject initError = new JSONObject(); String responseString; -- cgit v1.2.3 From 1f133c139e4f9f26a265b26cbb6f37c2556a5fcc Mon Sep 17 00:00:00 2001 From: cyBerta Date: Sun, 29 Oct 2017 18:18:38 +0100 Subject: add missing import... --- app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java | 1 + 1 file changed, 1 insertion(+) (limited to 'app/src/insecure/java/se/leap/bitmaskclient') diff --git a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java index 17e75ce4..670a88f8 100644 --- a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java +++ b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java @@ -56,6 +56,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Scanner; import javax.net.ssl.HostnameVerifier; -- cgit v1.2.3 From 8158397299dc29e6ffa1018b082c41aad37f18d6 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Tue, 31 Oct 2017 15:58:07 +0100 Subject: #8757 new ProviderApiBase includes commonly used code between different implementations of ProviderAPI --- .../java/se/leap/bitmaskclient/ProviderAPI.java | 852 ++------------------- 1 file changed, 60 insertions(+), 792 deletions(-) (limited to 'app/src/insecure/java/se/leap/bitmaskclient') diff --git a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java index 670a88f8..588ff7e2 100644 --- a/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java +++ b/app/src/insecure/java/se/leap/bitmaskclient/ProviderAPI.java @@ -16,16 +16,7 @@ */ package se.leap.bitmaskclient; -import android.app.IntentService; -import android.content.Intent; -import android.content.SharedPreferences; -import android.content.res.Resources; -import android.os.Build; import android.os.Bundle; -import android.os.ResultReceiver; -import android.support.annotation.NonNull; -import android.util.Base64; -import android.util.Log; import android.util.Pair; import org.json.JSONException; @@ -34,29 +25,13 @@ import org.thoughtcrime.ssl.pinning.util.PinningHelper; import java.io.FileNotFoundException; import java.io.IOException; -import java.io.InputStream; -import java.math.BigInteger; -import java.net.ConnectException; -import java.net.MalformedURLException; -import java.net.SocketTimeoutException; import java.net.URL; -import java.net.UnknownHostException; -import java.net.UnknownServiceException; import java.security.KeyManagementException; -import java.security.KeyStoreException; -import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; import java.security.SecureRandom; -import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; -import java.security.interfaces.RSAPrivateKey; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; import java.util.List; -import java.util.Locale; import java.util.Scanner; import javax.net.ssl.HostnameVerifier; @@ -68,617 +43,42 @@ import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; -import okhttp3.CipherSuite; -import okhttp3.ConnectionSpec; -import okhttp3.Cookie; -import okhttp3.CookieJar; -import okhttp3.HttpUrl; -import okhttp3.MediaType; import okhttp3.OkHttpClient; -import okhttp3.Request; -import okhttp3.RequestBody; -import okhttp3.Response; -import okhttp3.TlsVersion; import se.leap.bitmaskclient.ProviderListContent.ProviderItem; import se.leap.bitmaskclient.eip.Constants; import se.leap.bitmaskclient.eip.EIP; -import se.leap.bitmaskclient.userstatus.SessionDialog; -import se.leap.bitmaskclient.userstatus.User; -import se.leap.bitmaskclient.userstatus.UserStatus; import static se.leap.bitmaskclient.R.string.certificate_error; import static se.leap.bitmaskclient.R.string.error_io_exception_user_message; -import static se.leap.bitmaskclient.R.string.error_json_exception_user_message; -import static se.leap.bitmaskclient.R.string.error_no_such_algorithm_exception_user_message; -import static se.leap.bitmaskclient.R.string.keyChainAccessError; import static se.leap.bitmaskclient.R.string.malformed_url; -import static se.leap.bitmaskclient.R.string.server_unreachable_message; -import static se.leap.bitmaskclient.R.string.service_is_down_error; /** * Implements HTTP api methods used to manage communications with the provider server. + * It extends the abstract ProviderApiBase and implements the diverging method calls between the different flavors + * of ProviderAPI. *

- * It's an IntentService because it downloads data from the Internet, so it operates in the background. + * It extends an IntentService because it downloads data from the Internet, so it operates in the background. * * @author parmegv * @author MeanderingCode * @author cyberta */ -public class ProviderAPI extends IntentService { +public class ProviderAPI extends ProviderApiBase { - final public static String - TAG = ProviderAPI.class.getSimpleName(), - SET_UP_PROVIDER = "setUpProvider", - DOWNLOAD_NEW_PROVIDER_DOTJSON = "downloadNewProviderDotJSON", - SIGN_UP = "srpRegister", - LOG_IN = "srpAuth", - LOG_OUT = "logOut", - DOWNLOAD_CERTIFICATE = "downloadUserAuthedCertificate", - PARAMETERS = "parameters", - RESULT_KEY = "result", - RECEIVER_KEY = "receiver", - ERRORS = "errors", - ERROR = "error", - UPDATE_PROGRESSBAR = "update_progressbar", - CURRENT_PROGRESS = "current_progress", - DOWNLOAD_EIP_SERVICE = TAG + ".DOWNLOAD_EIP_SERVICE"; - - final public static int - SUCCESSFUL_LOGIN = 3, - FAILED_LOGIN = 4, - SUCCESSFUL_SIGNUP = 5, - FAILED_SIGNUP = 6, - SUCCESSFUL_LOGOUT = 7, - LOGOUT_FAILED = 8, - CORRECTLY_DOWNLOADED_CERTIFICATE = 9, - INCORRECTLY_DOWNLOADED_CERTIFICATE = 10, - PROVIDER_OK = 11, - PROVIDER_NOK = 12, - CORRECTLY_DOWNLOADED_EIP_SERVICE = 13, - INCORRECTLY_DOWNLOADED_EIP_SERVICE = 14; - - private static boolean - CA_CERT_DOWNLOADED = false, - PROVIDER_JSON_DOWNLOADED = false, - EIP_SERVICE_JSON_DOWNLOADED = false; - - private static String last_provider_main_url; - private static boolean last_danger_on = false; - private static boolean go_ahead = true; - private static SharedPreferences preferences; - private static String provider_api_url; - private static String provider_ca_cert_fingerprint; - private Resources resources; - public static void stop() { - go_ahead = false; - } - - private final MediaType JSON - = MediaType.parse("application/json; charset=utf-8"); - - public ProviderAPI() { - super(TAG); - } - - @Override - public void onCreate() { - super.onCreate(); - - preferences = getSharedPreferences(Dashboard.SHARED_PREFERENCES, MODE_PRIVATE); - resources = getResources(); - } - - public static String lastProviderMainUrl() { - return last_provider_main_url; - } + private static boolean last_danger_on = true; public static boolean lastDangerOn() { return last_danger_on; } - - @Override - protected void onHandleIntent(Intent command) { - final ResultReceiver receiver = command.getParcelableExtra(RECEIVER_KEY); - - String action = command.getAction(); - Bundle parameters = command.getBundleExtra(PARAMETERS); - if (provider_api_url == null && preferences.contains(Provider.KEY)) { - try { - JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "no provider")); - provider_api_url = provider_json.getString(Provider.API_URL) + "/" + provider_json.getString(Provider.API_VERSION); - go_ahead = true; - } catch (JSONException e) { - go_ahead = false; - } - } - - if (action.equalsIgnoreCase(SET_UP_PROVIDER)) { - Bundle result = setUpProvider(parameters); - if (result.getBoolean(RESULT_KEY)) { - receiver.send(PROVIDER_OK, result); - } else { - receiver.send(PROVIDER_NOK, result); - } - } else if (action.equalsIgnoreCase(SIGN_UP)) { - UserStatus.updateStatus(UserStatus.SessionStatus.SIGNING_UP, resources); - Bundle result = tryToRegister(parameters); - if (result.getBoolean(RESULT_KEY)) { - receiver.send(SUCCESSFUL_SIGNUP, result); - } else { - receiver.send(FAILED_SIGNUP, result); - } - } else if (action.equalsIgnoreCase(LOG_IN)) { - UserStatus.updateStatus(UserStatus.SessionStatus.LOGGING_IN, resources); - Bundle result = tryToAuthenticate(parameters); - if (result.getBoolean(RESULT_KEY)) { - receiver.send(SUCCESSFUL_LOGIN, result); - UserStatus.updateStatus(UserStatus.SessionStatus.LOGGED_IN, resources); - } else { - receiver.send(FAILED_LOGIN, result); - UserStatus.updateStatus(UserStatus.SessionStatus.NOT_LOGGED_IN, resources); - } - } else if (action.equalsIgnoreCase(LOG_OUT)) { - UserStatus.updateStatus(UserStatus.SessionStatus.LOGGING_OUT, resources); - if (logOut()) { - receiver.send(SUCCESSFUL_LOGOUT, Bundle.EMPTY); - android.util.Log.d(TAG, "Logged out, notifying user status"); - UserStatus.updateStatus(UserStatus.SessionStatus.LOGGED_OUT, resources); - } else { - receiver.send(LOGOUT_FAILED, Bundle.EMPTY); - UserStatus.updateStatus(UserStatus.SessionStatus.DIDNT_LOG_OUT, resources); - } - } else if (action.equalsIgnoreCase(DOWNLOAD_CERTIFICATE)) { - if (updateVpnCertificate()) { - receiver.send(CORRECTLY_DOWNLOADED_CERTIFICATE, Bundle.EMPTY); - } else { - receiver.send(INCORRECTLY_DOWNLOADED_CERTIFICATE, Bundle.EMPTY); - } - } else if (action.equalsIgnoreCase(DOWNLOAD_EIP_SERVICE)) { - Bundle result = getAndSetEipServiceJson(); - if (result.getBoolean(RESULT_KEY)) { - receiver.send(CORRECTLY_DOWNLOADED_EIP_SERVICE, result); - } else { - receiver.send(INCORRECTLY_DOWNLOADED_EIP_SERVICE, result); - } - } - } - - private String formatErrorMessage(final int toastStringId) { - return formatErrorMessage(getResources().getString(toastStringId)); - } - - private String formatErrorMessage(String errorMessage) { - return "{ \"" + ERRORS + "\" : \"" + errorMessage + "\" }"; - } - - private JSONObject getErrorMessageAsJson(final int toastStringId) { - try { - return new JSONObject(formatErrorMessage(toastStringId)); - } catch (JSONException e) { - e.printStackTrace(); - return new JSONObject(); - } - } - - private JSONObject getErrorMessageAsJson(String message) { - try { - return new JSONObject(formatErrorMessage(message)); - } catch (JSONException e) { - e.printStackTrace(); - return new JSONObject(); - } - } - - private OkHttpClient initHttpClient(JSONObject initError, boolean isSelfSigned) { - try { - TLSCompatSocketFactory sslCompatFactory; - ConnectionSpec spec = getConnectionSpec(); - OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder(); - if (isSelfSigned) { - sslCompatFactory = new TLSCompatSocketFactory(preferences.getString(Provider.CA_CERT, "")); - - } else { - sslCompatFactory = new TLSCompatSocketFactory(); - } - sslCompatFactory.initSSLSocketFactory(clientBuilder); - clientBuilder.cookieJar(getCookieJar()) - .connectionSpecs(Collections.singletonList(spec)); - return clientBuilder.build(); - } catch (IllegalStateException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage())); - } catch (KeyStoreException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage())); - } catch (KeyManagementException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(String.format(getResources().getString(keyChainAccessError), e.getLocalizedMessage())); - } catch (NoSuchAlgorithmException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(getResources().getString(error_no_such_algorithm_exception_user_message)); - } catch (CertificateException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(getResources().getString(certificate_error)); - } catch (UnknownHostException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(getResources().getString(server_unreachable_message)); - } catch (IOException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(getResources().getString(error_io_exception_user_message)); - } catch (NoSuchProviderException e) { - e.printStackTrace(); - initError = getErrorMessageAsJson(getResources().getString(error_no_such_algorithm_exception_user_message)); - } - return null; - } - private OkHttpClient initCommercialCAHttpClient(JSONObject initError) { - return initHttpClient(initError, false); - } - - private OkHttpClient initSelfSignedCAHttpClient(JSONObject initError) { - return initHttpClient(initError, true); - } - - @NonNull - private ConnectionSpec getConnectionSpec() { - ConnectionSpec.Builder connectionSpecbuilder = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) - .tlsVersions(TlsVersion.TLS_1_2, TlsVersion.TLS_1_3); - //FIXME: restrict connection further to the following recommended cipher suites for ALL supported API levels - //figure out how to use bcjsse for that purpose - if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP_MR1) - connectionSpecbuilder.cipherSuites( - CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - CipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, - CipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ); - return connectionSpecbuilder.build(); - } - - @NonNull - private CookieJar getCookieJar() { - return new CookieJar() { - private final HashMap> cookieStore = new HashMap<>(); - - @Override - public void saveFromResponse(HttpUrl url, List cookies) { - cookieStore.put(url.host(), cookies); - } - - @Override - public List loadForRequest(HttpUrl url) { - List cookies = cookieStore.get(url.host()); - return cookies != null ? cookies : new ArrayList(); - } - }; - } - - - private Bundle tryToRegister(Bundle task) { - Bundle result = new Bundle(); - int progress = 0; - - String username = User.userName(); - String password = task.getString(SessionDialog.PASSWORD); - - if (validUserLoginData(username, password)) { - result = register(username, password); - broadcastProgress(progress++); - } else { - if (!wellFormedPassword(password)) { - result.putBoolean(RESULT_KEY, false); - result.putString(SessionDialog.USERNAME, username); - result.putBoolean(SessionDialog.ERRORS.PASSWORD_INVALID_LENGTH.toString(), true); - } - if (!validUsername(username)) { - result.putBoolean(RESULT_KEY, false); - result.putBoolean(SessionDialog.ERRORS.USERNAME_MISSING.toString(), true); - } - } - - return result; - } - - private Bundle register(String username, String password) { - JSONObject stepResult = null; - OkHttpClient okHttpClient = initSelfSignedCAHttpClient(stepResult); - if (okHttpClient == null) { - return authFailedNotification(stepResult, username); - } - - LeapSRPSession client = new LeapSRPSession(username, password); - byte[] salt = client.calculateNewSalt(); - - BigInteger password_verifier = client.calculateV(username, password, salt); - - stepResult = sendNewUserDataToSRPServer(provider_api_url, username, new BigInteger(1, salt).toString(16), password_verifier.toString(16), okHttpClient); - - Bundle result = new Bundle(); - if (stepResult.has(ERRORS)) - result = authFailedNotification(stepResult, username); - else { - result.putString(SessionDialog.USERNAME, username); - result.putString(SessionDialog.PASSWORD, password); - result.putBoolean(RESULT_KEY, true); - } - - return result; - } - - /** - * Starts the authentication process using SRP protocol. - * - * @param task containing: username, password and api url. - * @return a bundle with a boolean value mapped to a key named RESULT_KEY, and which is true if authentication was successful. - */ - private Bundle tryToAuthenticate(Bundle task) { - Bundle result = new Bundle(); - int progress = 0; - - String username = User.userName(); - String password = task.getString(SessionDialog.PASSWORD); - if (validUserLoginData(username, password)) { - result = authenticate(username, password); - broadcastProgress(progress++); - } else { - if (!wellFormedPassword(password)) { - result.putBoolean(RESULT_KEY, false); - result.putString(SessionDialog.USERNAME, username); - result.putBoolean(SessionDialog.ERRORS.PASSWORD_INVALID_LENGTH.toString(), true); - } - if (!validUsername(username)) { - result.putBoolean(RESULT_KEY, false); - result.putBoolean(SessionDialog.ERRORS.USERNAME_MISSING.toString(), true); - } - } - - return result; - } - - - private Bundle authenticate(String username, String password) { - Bundle result = new Bundle(); - JSONObject stepResult = new JSONObject(); - OkHttpClient okHttpClient = initSelfSignedCAHttpClient(stepResult); - if (okHttpClient == null) { - return authFailedNotification(stepResult, username); - } - - LeapSRPSession client = new LeapSRPSession(username, password); - byte[] A = client.exponential(); - - stepResult = sendAToSRPServer(provider_api_url, username, new BigInteger(1, A).toString(16), okHttpClient); - try { - String salt = stepResult.getString(LeapSRPSession.SALT); - byte[] Bbytes = new BigInteger(stepResult.getString("B"), 16).toByteArray(); - byte[] M1 = client.response(new BigInteger(salt, 16).toByteArray(), Bbytes); - if (M1 != null) { - stepResult = sendM1ToSRPServer(provider_api_url, username, M1, okHttpClient); - setTokenIfAvailable(stepResult); - byte[] M2 = new BigInteger(stepResult.getString(LeapSRPSession.M2), 16).toByteArray(); - if (client.verify(M2)) { - result.putBoolean(RESULT_KEY, true); - } else { - authFailedNotification(stepResult, username); - } - } else { - result.putBoolean(RESULT_KEY, false); - result.putString(SessionDialog.USERNAME, username); - result.putString(getResources().getString(R.string.user_message), getResources().getString(R.string.error_srp_math_error_user_message)); - } - } catch (JSONException e) { - result = authFailedNotification(stepResult, username); - e.printStackTrace(); - } - - return result; - } - - private boolean setTokenIfAvailable(JSONObject authentication_step_result) { - try { - LeapSRPSession.setToken(authentication_step_result.getString(LeapSRPSession.TOKEN)); - } catch (JSONException e) { - return false; - } - return true; - } - - private Bundle authFailedNotification(JSONObject result, String username) { - Bundle userNotificationBundle = new Bundle(); - Object baseErrorMessage = result.opt(ERRORS); - if (baseErrorMessage != null) { - if (baseErrorMessage instanceof JSONObject) { - try { - JSONObject errorMessage = result.getJSONObject(ERRORS); - String errorType = errorMessage.keys().next().toString(); - String message = errorMessage.get(errorType).toString(); - userNotificationBundle.putString(getResources().getString(R.string.user_message), message); - } catch (JSONException e) { - e.printStackTrace(); - } - } else if (baseErrorMessage instanceof String) { - try { - String errorMessage = result.getString(ERRORS); - userNotificationBundle.putString(getResources().getString(R.string.user_message), errorMessage); - } catch (JSONException e) { - e.printStackTrace(); - } - } - } - - if (!username.isEmpty()) - userNotificationBundle.putString(SessionDialog.USERNAME, username); - userNotificationBundle.putBoolean(RESULT_KEY, false); - - return userNotificationBundle; - } - - /** - * Sets up an intent with the progress value passed as a parameter - * and sends it as a broadcast. - * - * @param progress - */ - private void broadcastProgress(int progress) { - Intent intentUpdate = new Intent(); - intentUpdate.setAction(UPDATE_PROGRESSBAR); - intentUpdate.addCategory(Intent.CATEGORY_DEFAULT); - intentUpdate.putExtra(CURRENT_PROGRESS, progress); - sendBroadcast(intentUpdate); - } - - /** - * Validates parameters entered by the user to log in - * - * @param username - * @param password - * @return true if both parameters are present and the entered password length is greater or equal to eight (8). - */ - private boolean validUserLoginData(String username, String password) { - return validUsername(username) && wellFormedPassword(password); - } - - private boolean validUsername(String username) { - return username != null && !username.isEmpty(); - } - - /** - * Validates a password - * - * @param password - * @return true if the entered password length is greater or equal to eight (8). - */ - private boolean wellFormedPassword(String password) { - return password != null && password.length() >= 8; - } - - /** - * Sends an HTTP POST request to the authentication server with the SRP Parameter A. - * - * @param server_url - * @param username - * @param clientA First SRP parameter sent - * @param okHttpClient - * @return response from authentication server - */ - private JSONObject sendAToSRPServer(String server_url, String username, String clientA, OkHttpClient okHttpClient) { - SrpCredentials srpCredentials = new SrpCredentials(username, clientA); - return sendToServer(server_url + "/sessions.json", "POST", srpCredentials.toString(), okHttpClient); - } - - /** - * Sends an HTTP PUT request to the authentication server with the SRP Parameter M1 (or simply M). - * - * @param server_url - * @param username - * @param m1 Second SRP parameter sent - * @param okHttpClient - * @return response from authentication server - */ - private JSONObject sendM1ToSRPServer(String server_url, String username, byte[] m1, OkHttpClient okHttpClient) { - - String m1json = "{\"client_auth\":\"" + new BigInteger(1, ConfigHelper.trim(m1)).toString(16)+ "\"}"; - return sendToServer(server_url + "/sessions/" + username + ".json", "PUT", m1json, okHttpClient); - } - - /** - * Sends an HTTP POST request to the api server to register a new user. - * - * @param server_url - * @param username - * @param salt - * @param password_verifier - * @return response from authentication server - */ - private JSONObject sendNewUserDataToSRPServer(String server_url, String username, String salt, String password_verifier, OkHttpClient okHttpClient) { - return sendToServer(server_url + "/users.json", "POST", new SrpRegistrationData(username, salt, password_verifier).toString(), okHttpClient); - } - - private JSONObject sendToServer(String url, String request_method, String jsonString, OkHttpClient okHttpClient) { - return requestJsonFromServer(url, request_method, jsonString, null, okHttpClient); - } - - private String sendGetStringToServer(String url, List> headerArgs, OkHttpClient okHttpClient) { - return requestStringFromServer(url, "GET", null, headerArgs, okHttpClient); - } - - - - private JSONObject requestJsonFromServer(String url, String request_method, String jsonString, List> headerArgs, @NonNull OkHttpClient okHttpClient) { - JSONObject responseJson; - String plain_response = requestStringFromServer(url, request_method, jsonString, headerArgs, okHttpClient); - - try { - responseJson = new JSONObject(plain_response); - } catch (JSONException e) { - e.printStackTrace(); - responseJson = getErrorMessageAsJson(error_json_exception_user_message); - } - return responseJson; - - } - - private String requestStringFromServer(String url, String request_method, String jsonString, List> headerArgs, @NonNull OkHttpClient okHttpClient) { - Response response; - String plainResponseBody = null; - - RequestBody jsonBody = jsonString != null ? RequestBody.create(JSON, jsonString) : null; - Request.Builder requestBuilder = new Request.Builder() - .url(url) - .method(request_method, jsonBody); - if (headerArgs != null) { - for (Pair keyValPair : headerArgs) { - requestBuilder.addHeader(keyValPair.first, keyValPair.second); - } - } - //TODO: move to getHeaderArgs()? - String locale = Locale.getDefault().getLanguage() + Locale.getDefault().getCountry(); - requestBuilder.addHeader("Accept-Language", locale); - Request request = requestBuilder.build(); - - try { - response = okHttpClient.newCall(request).execute(); - - InputStream inputStream = response.body().byteStream(); - Scanner scanner = new Scanner(inputStream).useDelimiter("\\A"); - if (scanner.hasNext()) { - plainResponseBody = scanner.next(); - } - - } catch (NullPointerException npe) { - plainResponseBody = formatErrorMessage(error_json_exception_user_message); - } catch (UnknownHostException e) { - plainResponseBody = formatErrorMessage(server_unreachable_message); - } catch (MalformedURLException e) { - plainResponseBody = formatErrorMessage(malformed_url); - } catch (SocketTimeoutException e) { - plainResponseBody = formatErrorMessage(server_unreachable_message); - } catch (SSLHandshakeException e) { - plainResponseBody = formatErrorMessage(certificate_error); - } catch (ConnectException e) { - plainResponseBody = formatErrorMessage(service_is_down_error); - } catch (IllegalArgumentException e) { - plainResponseBody = formatErrorMessage(error_no_such_algorithm_exception_user_message); - } catch (UnknownServiceException e) { - //unable to find acceptable protocols - tlsv1.2 not enabled? - plainResponseBody = formatErrorMessage(error_no_such_algorithm_exception_user_message); - } catch (IOException e) { - plainResponseBody = formatErrorMessage(error_io_exception_user_message); - } - - return plainResponseBody; - } - /** * Downloads a provider.json from a given URL, adding a new provider using the given name. * * @param task containing a boolean meaning if the provider is custom or not, another boolean meaning if the user completely trusts this provider, the provider name and its provider.json url. * @return a bundle with a boolean value mapped to a key named RESULT_KEY, and which is true if the update was successful. */ - private Bundle setUpProvider(Bundle task) { + @Override + protected Bundle setUpProvider(Bundle task) { int progress = 0; Bundle current_download = new Bundle(); @@ -715,75 +115,6 @@ public class ProviderAPI extends IntentService { return current_download; } - private Bundle downloadCACert(boolean danger_on) { - Bundle result = new Bundle(); - try { - JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); - String ca_cert_url = provider_json.getString(Provider.CA_CERT_URI); - String cert_string = downloadWithCommercialCA(ca_cert_url, danger_on); - - if (validCertificate(cert_string) && go_ahead) { - preferences.edit().putString(Provider.CA_CERT, cert_string).commit(); - result.putBoolean(RESULT_KEY, true); - } else { - String reason_to_fail = pickErrorMessage(cert_string); - result.putString(ERRORS, reason_to_fail); - result.putBoolean(RESULT_KEY, false); - } - } catch (JSONException e) { - String reason_to_fail = formatErrorMessage(malformed_url); - result.putString(ERRORS, reason_to_fail); - result.putBoolean(RESULT_KEY, false); - } - - return result; - } - - public static boolean caCertDownloaded() { - return CA_CERT_DOWNLOADED; - } - - private boolean validCertificate(String cert_string) { - boolean result = false; - if (!ConfigHelper.checkErroneousDownload(cert_string)) { - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(cert_string); - try { - if (certificate != null) { - JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); - String fingerprint = provider_json.getString(Provider.CA_CERT_FINGERPRINT); - String encoding = fingerprint.split(":")[0]; - String expected_fingerprint = fingerprint.split(":")[1]; - String real_fingerprint = base64toHex(Base64.encodeToString( - MessageDigest.getInstance(encoding).digest(certificate.getEncoded()), - Base64.DEFAULT)); - - result = real_fingerprint.trim().equalsIgnoreCase(expected_fingerprint.trim()); - } else - result = false; - } catch (JSONException e) { - result = false; - } catch (NoSuchAlgorithmException e) { - result = false; - } catch (CertificateEncodingException e) { - result = false; - } - } - - return result; - } - - private String base64toHex(String base64_input) { - byte[] byteArray = Base64.decode(base64_input, Base64.DEFAULT); - int readBytes = byteArray.length; - StringBuffer hexData = new StringBuffer(); - int onebyte; - for (int i = 0; i < readBytes; i++) { - onebyte = ((0x000000ff & byteArray[i]) | 0xffffff00); - hexData.append(Integer.toHexString(onebyte).substring(6)); - } - return hexData.toString(); - } - private Bundle getAndSetProviderJson(String provider_main_url, boolean danger_on, String provider_ca_cert_fingerprint) { Bundle result = new Bundle(); @@ -815,14 +146,19 @@ public class ProviderAPI extends IntentService { return result; } - private Bundle getAndSetEipServiceJson() { + /** + * Downloads the eip-service.json from a given URL, and saves eip service capabilities including the offered gateways + * @return a bundle with a boolean value mapped to a key named RESULT_KEY, and which is true if the download was successful. + */ + @Override + protected Bundle getAndSetEipServiceJson() { Bundle result = new Bundle(); String eip_service_json_string = ""; if (go_ahead) { try { JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); String eip_service_url = provider_json.getString(Provider.API_URL) + "/" + provider_json.getString(Provider.API_VERSION) + "/" + EIP.SERVICE_API_PATH; - eip_service_json_string = downloadWithProviderCA(eip_service_url, true); + eip_service_json_string = downloadWithProviderCA(eip_service_url, last_danger_on); JSONObject eip_service_json = new JSONObject(eip_service_json_string); eip_service_json.getInt(Provider.API_RETURN_SERIAL); @@ -839,23 +175,58 @@ public class ProviderAPI extends IntentService { } /** - * Interprets the error message as a JSON object and extract the "errors" keyword pair. - * If the error message is not a JSON object, then it is returned untouched. + * Downloads a new OpenVPN certificate, attaching authenticated cookie for authenticated certificate. * - * @param string_json_error_message - * @return final error message + * @return true if certificate was downloaded correctly, false if provider.json is not present in SharedPreferences, or if the certificate url could not be parsed as a URI, or if there was an SSL error. */ - private String pickErrorMessage(String string_json_error_message) { - String error_message = ""; + @Override + protected boolean updateVpnCertificate() { try { - JSONObject json_error_message = new JSONObject(string_json_error_message); - error_message = json_error_message.getString(ERRORS); + JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); + + String provider_main_url = provider_json.getString(Provider.API_URL); + URL new_cert_string_url = new URL(provider_main_url + "/" + provider_json.getString(Provider.API_VERSION) + "/" + Constants.VPN_CERTIFICATE); + + String cert_string = downloadWithProviderCA(new_cert_string_url.toString(), last_danger_on); + + if (cert_string.isEmpty() || ConfigHelper.checkErroneousDownload(cert_string)) + return false; + else + return loadCertificate(cert_string); + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + return false; } catch (JSONException e) { // TODO Auto-generated catch block - error_message = string_json_error_message; + e.printStackTrace(); + return false; } + } + - return error_message; + private Bundle downloadCACert(boolean danger_on) { + Bundle result = new Bundle(); + try { + JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); + String ca_cert_url = provider_json.getString(Provider.CA_CERT_URI); + String cert_string = downloadWithCommercialCA(ca_cert_url, danger_on); + + if (validCertificate(cert_string) && go_ahead) { + preferences.edit().putString(Provider.CA_CERT, cert_string).commit(); + result.putBoolean(RESULT_KEY, true); + } else { + String reason_to_fail = pickErrorMessage(cert_string); + result.putString(ERRORS, reason_to_fail); + result.putBoolean(RESULT_KEY, false); + } + } catch (JSONException e) { + String reason_to_fail = formatErrorMessage(malformed_url); + result.putString(ERRORS, reason_to_fail); + result.putBoolean(RESULT_KEY, false); + } + + return result; } //TODO: refactor with ticket #8773 @@ -868,7 +239,7 @@ public class ProviderAPI extends IntentService { HttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(getApplicationContext(), pins, url); connection.setConnectTimeout(seconds_of_timeout * 1000); if (!LeapSRPSession.getToken().isEmpty()) - connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token = " + LeapSRPSession.getToken()); + connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token=" + LeapSRPSession.getToken()); result = new Scanner(connection.getInputStream()).useDelimiter("\\A").next(); } catch (IOException e) { if(e instanceof SSLHandshakeException) { @@ -918,16 +289,6 @@ public class ProviderAPI extends IntentService { return responseString; } - @NonNull - private List> getAuthorizationHeader() { - List> headerArgs = new ArrayList<>(); - if (!LeapSRPSession.getToken().isEmpty()) { - Pair authorizationHeaderPair = new Pair<>(LeapSRPSession.AUTHORIZATION_HEADER, "Token token=" + LeapSRPSession.getToken()); - headerArgs.add(authorizationHeaderPair); - } - return headerArgs; - } - /** * Tries to download the contents of the provided url using not commercially validated CA certificate from chosen provider. * @@ -1020,97 +381,4 @@ public class ProviderAPI extends IntentService { return string; } - /** - * Logs out from the api url retrieved from the task. - * - * @return true if there were no exceptions - */ - private boolean logOut() { - - OkHttpClient okHttpClient = initSelfSignedCAHttpClient(new JSONObject()); - if (okHttpClient == null) { - return false; - } - - String deleteUrl = provider_api_url + "/logout"; - int progress = 0; - - Request.Builder requestBuilder = new Request.Builder() - .url(deleteUrl) - .delete(); - Request request = requestBuilder.build(); - - try { - Response response = okHttpClient.newCall(request).execute(); - // v---- was already not authorized - if (response.isSuccessful() || response.code() == 401) { - broadcastProgress(progress++); - LeapSRPSession.setToken(""); - } - - } catch (IOException e) { - return false; - } - return true; - } - - /** - * Downloads a new OpenVPN certificate, attaching authenticated cookie for authenticated certificate. - * - * @return true if certificate was downloaded correctly, false if provider.json or danger_on flag are not present in SharedPreferences, or if the certificate url could not be parsed as a URI, or if there was an SSL error. - */ - private boolean updateVpnCertificate() { - try { - JSONObject provider_json = new JSONObject(preferences.getString(Provider.KEY, "")); - - String provider_main_url = provider_json.getString(Provider.API_URL); - URL new_cert_string_url = new URL(provider_main_url + "/" + provider_json.getString(Provider.API_VERSION) + "/" + Constants.VPN_CERTIFICATE); - - boolean danger_on = preferences.getBoolean(ProviderItem.DANGER_ON, false); - - String cert_string = downloadWithProviderCA(new_cert_string_url.toString(), danger_on); - - if (cert_string.isEmpty() || ConfigHelper.checkErroneousDownload(cert_string)) - return false; - else - return loadCertificate(cert_string); - } catch (JSONException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - return false; - } catch (MalformedURLException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - return false; - } - } - - private boolean loadCertificate(String cert_string) { - try { - // API returns concatenated cert & key. Split them for OpenVPN options - String certificateString = null, keyString = null; - String[] certAndKey = cert_string.split("(?<=-\n)"); - for (int i = 0; i < certAndKey.length - 1; i++) { - if (certAndKey[i].contains("KEY")) { - keyString = certAndKey[i++] + certAndKey[i]; - } else if (certAndKey[i].contains("CERTIFICATE")) { - certificateString = certAndKey[i++] + certAndKey[i]; - } - } - RSAPrivateKey keyCert = ConfigHelper.parseRsaKeyFromString(keyString); - keyString = Base64.encodeToString(keyCert.getEncoded(), Base64.DEFAULT); - preferences.edit().putString(Constants.PRIVATE_KEY, "-----BEGIN RSA PRIVATE KEY-----\n" + keyString + "-----END RSA PRIVATE KEY-----").commit(); - - X509Certificate certCert = ConfigHelper.parseX509CertificateFromString(certificateString); - certificateString = Base64.encodeToString(certCert.getEncoded(), Base64.DEFAULT); - - preferences.edit().putString(Constants.VPN_CERTIFICATE, "-----BEGIN CERTIFICATE-----\n" + certificateString + "-----END CERTIFICATE-----").commit(); - - return true; - } catch (CertificateException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - return false; - } - } } -- cgit v1.2.3