From e2b289726f3c1813f9fafecc94bc61a70dbdb899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 21 Apr 2015 20:37:19 +0200 Subject: Pinning connection to provider.json Using AndroidPinning library from Moxie, I make sure the provider.json file Bitmask downloads is fetched from a pinned https connection, so that the api certificate fingerprint is the good one. --- .../main/java/se/leap/bitmaskclient/Provider.java | 14 +++--- .../se/leap/bitmaskclient/ProviderManager.java | 52 ++++++++++++++-------- 2 files changed, 42 insertions(+), 24 deletions(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/Provider.java b/app/src/main/java/se/leap/bitmaskclient/Provider.java index ee06a586..54bfcc19 100644 --- a/app/src/main/java/se/leap/bitmaskclient/Provider.java +++ b/app/src/main/java/se/leap/bitmaskclient/Provider.java @@ -32,6 +32,7 @@ public final class Provider implements Parcelable { private JSONObject definition; // Represents our Provider's provider.json private URL main_url; + private String certificate_pin; final public static String API_URL = "api_uri", @@ -62,8 +63,9 @@ public final class Provider implements Parcelable { this.main_url = main_url; } - public Provider(File provider_file) { - + public Provider(URL main_url, String certificate_pin) { + this.main_url = main_url; + this.certificate_pin = certificate_pin; } public static final Parcelable.Creator CREATOR @@ -81,11 +83,9 @@ public final class Provider implements Parcelable { try { main_url = new URL(in.readString()); String definition_string = in.readString(); - if (definition_string != null) + if (!definition_string.isEmpty()) definition = new JSONObject((definition_string)); - } catch (MalformedURLException e) { - e.printStackTrace(); - } catch (JSONException e) { + } catch (MalformedURLException | JSONException e) { e.printStackTrace(); } } @@ -106,6 +106,8 @@ public final class Provider implements Parcelable { return main_url; } + protected String certificatePin() { return certificate_pin; } + protected String getName() { // Should we pass the locale in, or query the system here? String lang = Locale.getDefault().getLanguage(); diff --git a/app/src/main/java/se/leap/bitmaskclient/ProviderManager.java b/app/src/main/java/se/leap/bitmaskclient/ProviderManager.java index 40fe8b5a..220a71c8 100644 --- a/app/src/main/java/se/leap/bitmaskclient/ProviderManager.java +++ b/app/src/main/java/se/leap/bitmaskclient/ProviderManager.java @@ -49,11 +49,14 @@ public class ProviderManager implements AdapteeCollection { Set providers = new HashSet(); try { for (String file : relative_file_paths) { - String main_url = extractMainUrlFromInputStream(assets_manager.open(directory + "/" + file)); - providers.add(new Provider(new URL(main_url))); + InputStream provider_file = assets_manager.open(directory + "/" + file); + String main_url = extractMainUrlFromInputStream(provider_file); + String certificate_pin = extractCertificatePinFromInputStream(provider_file); + if(certificate_pin.isEmpty()) + providers.add(new Provider(new URL(main_url))); + else + providers.add(new Provider(new URL(main_url), certificate_pin)); } - } catch (MalformedURLException e) { - e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } @@ -75,30 +78,43 @@ public class ProviderManager implements AdapteeCollection { String main_url = extractMainUrlFromInputStream(new FileInputStream(external_files_dir.getAbsolutePath() + "/" + file)); providers.add(new Provider(new URL(main_url))); } - } catch (MalformedURLException e) { - e.printStackTrace(); - } catch (FileNotFoundException e) { + } catch (MalformedURLException | FileNotFoundException e) { e.printStackTrace(); } return providers; } - private String extractMainUrlFromInputStream(InputStream input_stream_file_contents) { + private String extractMainUrlFromInputStream(InputStream input_stream) { String main_url = ""; - byte[] bytes = new byte[0]; + + JSONObject file_contents = inputStreamToJson(input_stream); + if(file_contents != null) + main_url = file_contents.optString(Provider.MAIN_URL); + return main_url; + } + + private String extractCertificatePinFromInputStream(InputStream input_stream) { + String certificate_pin = ""; + + JSONObject file_contents = inputStreamToJson(input_stream); + if(file_contents != null) + certificate_pin = file_contents.optString(Provider.CA_CERT_FINGERPRINT); + + return certificate_pin; + } + + private JSONObject inputStreamToJson(InputStream input_stream) { + JSONObject json = null; try { - bytes = new byte[input_stream_file_contents.available()]; - if (input_stream_file_contents.read(bytes) > 0) { - JSONObject file_contents = new JSONObject(new String(bytes)); - main_url = file_contents.getString(Provider.MAIN_URL); - } - } catch (IOException e) { - e.printStackTrace(); - } catch (JSONException e) { + byte[] bytes = new byte[input_stream.available()]; + if (input_stream.read(bytes) > 0) + json = new JSONObject(new String(bytes)); + input_stream.reset(); + } catch (IOException | JSONException e) { e.printStackTrace(); } - return main_url; + return json; } public Set providers() { -- cgit v1.2.3 From 7d6d55cb62fcdc1e3a36f2634f0399b2d77db263 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Wed, 22 Apr 2015 12:29:04 +0200 Subject: Initialize ca fingerprint, avoiding nullpointer Danger on defaults to true in debug build --- app/src/main/java/se/leap/bitmaskclient/Provider.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/src/main/java/se/leap') diff --git a/app/src/main/java/se/leap/bitmaskclient/Provider.java b/app/src/main/java/se/leap/bitmaskclient/Provider.java index 54bfcc19..a030927d 100644 --- a/app/src/main/java/se/leap/bitmaskclient/Provider.java +++ b/app/src/main/java/se/leap/bitmaskclient/Provider.java @@ -32,7 +32,7 @@ public final class Provider implements Parcelable { private JSONObject definition; // Represents our Provider's provider.json private URL main_url; - private String certificate_pin; + private String certificate_pin = ""; final public static String API_URL = "api_uri", -- cgit v1.2.3