From e2b289726f3c1813f9fafecc94bc61a70dbdb899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Tue, 21 Apr 2015 20:37:19 +0200 Subject: Pinning connection to provider.json Using AndroidPinning library from Moxie, I make sure the provider.json file Bitmask downloads is fetched from a pinned https connection, so that the api certificate fingerprint is the good one. --- .../se/leap/bitmaskclient/ConfigurationWizard.java | 23 ++++++------ .../java/se/leap/bitmaskclient/ProviderAPI.java | 43 ++++++++++++++++++++-- 2 files changed, 51 insertions(+), 15 deletions(-) (limited to 'app/src/release') diff --git a/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java b/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java index 19ba1ba8..68ff9e47 100644 --- a/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java +++ b/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java @@ -126,7 +126,7 @@ public class ConfigurationWizard extends Activity if (fragment_manager.findFragmentByTag(ProviderDetailFragment.TAG) == null && setting_up_provider) { if (selected_provider != null) - onItemSelectedUi(selected_provider); + onItemSelectedUi(); if (progress > 0) mProgressBar.setProgress(progress); } @@ -229,17 +229,17 @@ public class ConfigurationWizard extends Activity void onItemSelected(int position) { //TODO Code 2 pane view selected_provider = adapter.getItem(position); - onItemSelectedUi(selected_provider); - onItemSelectedLogic(selected_provider); + onItemSelectedUi(); + onItemSelectedLogic(); } - private void onItemSelectedLogic(Provider selected_provider) { - setUpProvider(selected_provider.mainUrl()); + private void onItemSelectedLogic() { + setUpProvider(); } - private void onItemSelectedUi(Provider provider) { + private void onItemSelectedUi() { startProgressBar(); - adapter.hideAllBut(adapter.indexOf(provider)); + adapter.hideAllBut(adapter.indexOf(selected_provider)); } @Override @@ -379,8 +379,8 @@ public class ConfigurationWizard extends Activity private void autoSelectProvider(Provider provider) { selected_provider = provider; - onItemSelectedUi(selected_provider); - onItemSelectedLogic(selected_provider); + onItemSelectedUi(); + onItemSelectedLogic(); } /** @@ -389,10 +389,11 @@ public class ConfigurationWizard extends Activity * @param provider_name * @param provider_main_url */ - public void setUpProvider(URL provider_main_url) { + public void setUpProvider() { Intent provider_API_command = new Intent(this, ProviderAPI.class); Bundle parameters = new Bundle(); - parameters.putString(Provider.MAIN_URL, provider_main_url.toString()); + parameters.putString(Provider.MAIN_URL, selected_provider.mainUrl().toString()); + parameters.putString(Provider.CA_CERT_FINGERPRINT, selected_provider.certificatePin()); provider_API_command.setAction(ProviderAPI.SET_UP_PROVIDER); provider_API_command.putExtra(ProviderAPI.PARAMETERS, parameters); diff --git a/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java index 890262ce..a96556bc 100644 --- a/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java +++ b/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java @@ -34,6 +34,7 @@ import javax.net.ssl.*; import org.apache.http.client.*; import org.json.*; +import org.thoughtcrime.ssl.pinning.util.*; import se.leap.bitmaskclient.ProviderListContent.ProviderItem; import se.leap.bitmaskclient.eip.*; @@ -87,6 +88,7 @@ public class ProviderAPI extends IntentService { private static boolean go_ahead = true; private static SharedPreferences preferences; private static String provider_api_url; + private static String provider_ca_cert_fingerprint; private Resources resources; public static void stop() { @@ -504,13 +506,19 @@ public class ProviderAPI extends IntentService { Bundle current_download = new Bundle(); if (task != null && task.containsKey(Provider.MAIN_URL)) { - last_provider_main_url = task.getString(Provider.MAIN_URL); + last_provider_main_url = task.containsKey(Provider.MAIN_URL) ? + task.getString(Provider.MAIN_URL) : + ""; + provider_ca_cert_fingerprint = task.containsKey(Provider.CA_CERT_FINGERPRINT) ? + task.getString(Provider.CA_CERT_FINGERPRINT) : + ""; + CA_CERT_DOWNLOADED = PROVIDER_JSON_DOWNLOADED = EIP_SERVICE_JSON_DOWNLOADED = false; go_ahead = true; } if (!PROVIDER_JSON_DOWNLOADED) - current_download = getAndSetProviderJson(last_provider_main_url); + current_download = getAndSetProviderJson(last_provider_main_url, provider_ca_cert_fingerprint); if (PROVIDER_JSON_DOWNLOADED || (current_download.containsKey(RESULT_KEY) && current_download.getBoolean(RESULT_KEY))) { broadcastProgress(progress++); PROVIDER_JSON_DOWNLOADED = true; @@ -602,11 +610,16 @@ public class ProviderAPI extends IntentService { return hexData.toString(); } - private Bundle getAndSetProviderJson(String provider_main_url) { + private Bundle getAndSetProviderJson(String provider_main_url, String provider_ca_cert_fingerprint) { Bundle result = new Bundle(); if (go_ahead) { - String provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json"); + String provider_dot_json_string; + + if(provider_ca_cert_fingerprint.isEmpty()) + provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json"); + else + provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json", provider_ca_cert_fingerprint); try { JSONObject provider_json = new JSONObject(provider_dot_json_string); @@ -672,6 +685,28 @@ public class ProviderAPI extends IntentService { return error_message; } + private String downloadWithCommercialCA(String url_string, String ca_cert_fingerprint) { + String result = ""; + + int seconds_of_timeout = 2; + String[] pins = new String[] {ca_cert_fingerprint}; + try { + URL url = new URL(url_string); + HttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(Dashboard.getContext(), pins, url); + connection.setConnectTimeout(seconds_of_timeout * 1000); + if (!LeapSRPSession.getToken().isEmpty()) + connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token = " + LeapSRPSession.getToken()); + result = new Scanner(connection.getInputStream()).useDelimiter("\\A").next(); + } catch (IOException e) { + if(e instanceof SSLHandshakeException) + result = formatErrorMessage(R.string.error_security_pinnedcertificate); + else + result = formatErrorMessage(R.string.error_io_exception_user_message); + } + + return result; + } + /** * Tries to download the contents of the provided url using commercially validated CA certificate from chosen provider. * -- cgit v1.2.3