From e2b289726f3c1813f9fafecc94bc61a70dbdb899 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Parm=C3=A9nides=20GV?= <parmegv@sdf.org>
Date: Tue, 21 Apr 2015 20:37:19 +0200
Subject: Pinning connection to provider.json

Using AndroidPinning library from Moxie, I make sure the provider.json
file Bitmask downloads is fetched from a pinned https connection, so
that the api certificate fingerprint is the good one.
---
 .../se/leap/bitmaskclient/ConfigurationWizard.java | 23 ++++++------
 .../java/se/leap/bitmaskclient/ProviderAPI.java    | 43 ++++++++++++++++++++--
 2 files changed, 51 insertions(+), 15 deletions(-)

(limited to 'app/src/release')

diff --git a/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java b/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java
index 19ba1ba8..68ff9e47 100644
--- a/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java
+++ b/app/src/release/java/se/leap/bitmaskclient/ConfigurationWizard.java
@@ -126,7 +126,7 @@ public class ConfigurationWizard extends Activity
 
         if (fragment_manager.findFragmentByTag(ProviderDetailFragment.TAG) == null && setting_up_provider) {
             if (selected_provider != null)
-                onItemSelectedUi(selected_provider);
+                onItemSelectedUi();
             if (progress > 0)
                 mProgressBar.setProgress(progress);
         }
@@ -229,17 +229,17 @@ public class ConfigurationWizard extends Activity
     void onItemSelected(int position) {
         //TODO Code 2 pane view
         selected_provider = adapter.getItem(position);
-        onItemSelectedUi(selected_provider);
-        onItemSelectedLogic(selected_provider);
+        onItemSelectedUi();
+        onItemSelectedLogic();
     }
 
-    private void onItemSelectedLogic(Provider selected_provider) {
-        setUpProvider(selected_provider.mainUrl());
+    private void onItemSelectedLogic() {
+        setUpProvider();
     }
 
-    private void onItemSelectedUi(Provider provider) {
+    private void onItemSelectedUi() {
         startProgressBar();
-        adapter.hideAllBut(adapter.indexOf(provider));
+        adapter.hideAllBut(adapter.indexOf(selected_provider));
     }
 
     @Override
@@ -379,8 +379,8 @@ public class ConfigurationWizard extends Activity
 
     private void autoSelectProvider(Provider provider) {
         selected_provider = provider;
-        onItemSelectedUi(selected_provider);
-        onItemSelectedLogic(selected_provider);
+        onItemSelectedUi();
+        onItemSelectedLogic();
     }
 
     /**
@@ -389,10 +389,11 @@ public class ConfigurationWizard extends Activity
      * @param provider_name
      * @param provider_main_url
      */
-    public void setUpProvider(URL provider_main_url) {
+    public void setUpProvider() {
         Intent provider_API_command = new Intent(this, ProviderAPI.class);
         Bundle parameters = new Bundle();
-        parameters.putString(Provider.MAIN_URL, provider_main_url.toString());
+        parameters.putString(Provider.MAIN_URL, selected_provider.mainUrl().toString());
+        parameters.putString(Provider.CA_CERT_FINGERPRINT, selected_provider.certificatePin());
 
         provider_API_command.setAction(ProviderAPI.SET_UP_PROVIDER);
         provider_API_command.putExtra(ProviderAPI.PARAMETERS, parameters);
diff --git a/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java b/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java
index 890262ce..a96556bc 100644
--- a/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java
+++ b/app/src/release/java/se/leap/bitmaskclient/ProviderAPI.java
@@ -34,6 +34,7 @@ import javax.net.ssl.*;
 
 import org.apache.http.client.*;
 import org.json.*;
+import org.thoughtcrime.ssl.pinning.util.*;
 
 import se.leap.bitmaskclient.ProviderListContent.ProviderItem;
 import se.leap.bitmaskclient.eip.*;
@@ -87,6 +88,7 @@ public class ProviderAPI extends IntentService {
     private static boolean go_ahead = true;
     private static SharedPreferences preferences;
     private static String provider_api_url;
+    private static String provider_ca_cert_fingerprint;
     private Resources resources;
 
     public static void stop() {
@@ -504,13 +506,19 @@ public class ProviderAPI extends IntentService {
         Bundle current_download = new Bundle();
 
         if (task != null && task.containsKey(Provider.MAIN_URL)) {
-            last_provider_main_url = task.getString(Provider.MAIN_URL);
+            last_provider_main_url = task.containsKey(Provider.MAIN_URL) ?
+                    task.getString(Provider.MAIN_URL) :
+                    "";
+            provider_ca_cert_fingerprint = task.containsKey(Provider.CA_CERT_FINGERPRINT) ?
+                    task.getString(Provider.CA_CERT_FINGERPRINT) :
+                    "";
+
             CA_CERT_DOWNLOADED = PROVIDER_JSON_DOWNLOADED = EIP_SERVICE_JSON_DOWNLOADED = false;
             go_ahead = true;
         }
 
         if (!PROVIDER_JSON_DOWNLOADED)
-            current_download = getAndSetProviderJson(last_provider_main_url);
+            current_download = getAndSetProviderJson(last_provider_main_url, provider_ca_cert_fingerprint);
         if (PROVIDER_JSON_DOWNLOADED || (current_download.containsKey(RESULT_KEY) && current_download.getBoolean(RESULT_KEY))) {
             broadcastProgress(progress++);
             PROVIDER_JSON_DOWNLOADED = true;
@@ -602,11 +610,16 @@ public class ProviderAPI extends IntentService {
         return hexData.toString();
     }
 
-    private Bundle getAndSetProviderJson(String provider_main_url) {
+    private Bundle getAndSetProviderJson(String provider_main_url, String provider_ca_cert_fingerprint) {
         Bundle result = new Bundle();
 
         if (go_ahead) {
-            String provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json");
+            String provider_dot_json_string;
+
+            if(provider_ca_cert_fingerprint.isEmpty())
+                provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json");
+            else
+                provider_dot_json_string = downloadWithCommercialCA(provider_main_url + "/provider.json", provider_ca_cert_fingerprint);
 
             try {
                 JSONObject provider_json = new JSONObject(provider_dot_json_string);
@@ -672,6 +685,28 @@ public class ProviderAPI extends IntentService {
         return error_message;
     }
 
+    private String downloadWithCommercialCA(String url_string, String ca_cert_fingerprint) {
+        String result = "";
+
+        int seconds_of_timeout = 2;
+        String[] pins = new String[] {ca_cert_fingerprint};
+        try {
+            URL url = new URL(url_string);
+            HttpsURLConnection connection = PinningHelper.getPinnedHttpsURLConnection(Dashboard.getContext(), pins, url);
+            connection.setConnectTimeout(seconds_of_timeout * 1000);
+            if (!LeapSRPSession.getToken().isEmpty())
+                connection.addRequestProperty(LeapSRPSession.AUTHORIZATION_HEADER, "Token token = " + LeapSRPSession.getToken());
+            result = new Scanner(connection.getInputStream()).useDelimiter("\\A").next();
+        } catch (IOException e) {
+            if(e instanceof SSLHandshakeException)
+                result = formatErrorMessage(R.string.error_security_pinnedcertificate);
+            else
+                result = formatErrorMessage(R.string.error_io_exception_user_message);
+        }
+
+        return result;
+    }
+
     /**
      * Tries to download the contents of the provided url using commercially validated CA certificate from chosen provider.
      *
-- 
cgit v1.2.3