From 8411cd82c0572e0e871c1cf93e0d4c05b35fb999 Mon Sep 17 00:00:00 2001 From: cyBerta Date: Thu, 16 Dec 2021 23:45:41 +0100 Subject: allow to parse and handle multiple certs in a pem file --- .../providersetup/ProviderApiManagerBase.java | 50 ++++++++++++++-------- .../connectivity/TLSCompatSocketFactory.java | 10 ++++- 2 files changed, 39 insertions(+), 21 deletions(-) (limited to 'app/src/main/java/se/leap/bitmaskclient/providersetup') diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java index 808d9e75..63cf03cf 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/ProviderApiManagerBase.java @@ -849,18 +849,24 @@ public abstract class ProviderApiManagerBase { protected boolean validCertificate(Provider provider, String certString) { boolean result = false; if (!ConfigHelper.checkErroneousDownload(certString)) { - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(certString); + ArrayList certificates = ConfigHelper.parseX509CertificatesFromString(certString); try { - if (certificate != null) { - JSONObject providerJson = provider.getDefinition(); - String fingerprint = providerJson.getString(Provider.CA_CERT_FINGERPRINT); - String encoding = fingerprint.split(":")[0]; - String expectedFingerprint = fingerprint.split(":")[1]; - String realFingerprint = getFingerprintFromCertificate(certificate, encoding); - - result = realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim()); - } else + if (certificates != null) { + if (certificates.size() == 1) { + JSONObject providerJson = provider.getDefinition(); + String fingerprint = providerJson.getString(Provider.CA_CERT_FINGERPRINT); + String encoding = fingerprint.split(":")[0]; + String expectedFingerprint = fingerprint.split(":")[1]; + String realFingerprint = getFingerprintFromCertificate(certificates.get(0), encoding); + result = realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim()); + } else { + // otherwise we assume the provider is transitioning the CA certs and thus shipping multiple CA certs + // in that case we don't do cert pinning + result = true; + } + } else { result = false; + } } catch (JSONException | NoSuchAlgorithmException | CertificateEncodingException e) { result = false; } @@ -910,18 +916,24 @@ public abstract class ProviderApiManagerBase { return result; } - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(caCert); - if (certificate == null) { + ArrayList certificates = ConfigHelper.parseX509CertificatesFromString(caCert); + if (certificates == null) { return setErrorResult(result, warning_corrupted_provider_cert, ERROR_INVALID_CERTIFICATE.toString()); } try { - certificate.checkValidity(); String encoding = provider.getCertificatePinEncoding(); String expectedFingerprint = provider.getCertificatePin(); - String realFingerprint = getFingerprintFromCertificate(certificate, encoding); - if (!realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim())) { - return setErrorResult(result, warning_corrupted_provider_cert, ERROR_CERTIFICATE_PINNING.toString()); + // Do certificate pinning only if we have 1 cert, otherwise we assume some transitioning of + // X509 certs, therefore we cannot do cert pinning + if (certificates.size() == 1) { + String realFingerprint = getFingerprintFromCertificate(certificates.get(0), encoding); + if (!realFingerprint.trim().equalsIgnoreCase(expectedFingerprint.trim())) { + return setErrorResult(result, warning_corrupted_provider_cert, ERROR_CERTIFICATE_PINNING.toString()); + } + } + for (X509Certificate certificate : certificates) { + certificate.checkValidity(); } if (!canConnect(provider, result)) { @@ -1073,9 +1085,9 @@ public abstract class ProviderApiManagerBase { keyString = Base64.encodeToString(key.getEncoded(), Base64.DEFAULT); provider.setPrivateKey( "-----BEGIN RSA PRIVATE KEY-----\n" + keyString + "-----END RSA PRIVATE KEY-----"); - X509Certificate certificate = ConfigHelper.parseX509CertificateFromString(certificateString); - certificate.checkValidity(); - certificateString = Base64.encodeToString(certificate.getEncoded(), Base64.DEFAULT); + ArrayList certificates = ConfigHelper.parseX509CertificatesFromString(certificateString); + certificates.get(0).checkValidity(); + certificateString = Base64.encodeToString(certificates.get(0).getEncoded(), Base64.DEFAULT); provider.setVpnCertificate( "-----BEGIN CERTIFICATE-----\n" + certificateString + "-----END CERTIFICATE-----"); result.putBoolean(BROADCAST_RESULT_KEY, true); } catch (CertificateException | NullPointerException e) { diff --git a/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java b/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java index 5357fd74..cc68b5a8 100644 --- a/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java +++ b/app/src/main/java/se/leap/bitmaskclient/providersetup/connectivity/TLSCompatSocketFactory.java @@ -12,6 +12,8 @@ import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Arrays; import javax.net.ssl.SSLContext; @@ -55,8 +57,12 @@ public class TLSCompatSocketFactory extends SSLSocketFactory { KeyStore keyStore = KeyStore.getInstance(defaultType); keyStore.load(null, null); if (!TextUtils.isEmpty(trustedSelfSignedCaCert)) { - java.security.cert.Certificate provider_certificate = ConfigHelper.parseX509CertificateFromString(trustedSelfSignedCaCert); - keyStore.setCertificateEntry("provider_ca_certificate", provider_certificate); + ArrayList x509Certificates = ConfigHelper.parseX509CertificatesFromString(trustedSelfSignedCaCert); + if (x509Certificates != null) { + for (int i = 0; i < x509Certificates.size(); i++) { + keyStore.setCertificateEntry("provider_ca_certificate"+i, x509Certificates.get(i)); + } + } } // Create a TrustManager that trusts the CAs in our KeyStore -- cgit v1.2.3