diff options
author | Arne Schwabe <arne@rfc2549.org> | 2018-10-08 00:49:11 +0300 |
---|---|---|
committer | Arne Schwabe <arne@rfc2549.org> | 2018-10-08 00:49:11 +0300 |
commit | 3cb8f44a92471e43589a80067380d7b262c18c20 (patch) | |
tree | 821d271d3fb986c65f3a54da5a79b4652811fcb1 | |
parent | de2173c73acd042d5364685ac36fa287161face2 (diff) |
Use TLS 1.3 compatible external key management
3 files changed, 15 insertions, 7 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index db8f157c..1ac4d2ca 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -429,6 +429,11 @@ public class VpnProfile implements Serializable, Cloneable { cfg.append("auth-user-pass\n"); case VpnProfile.TYPE_PKCS12: cfg.append(insertFileData("pkcs12", mPKCS12Filename)); + + if (!TextUtils.isEmpty(mCaFilename)) + { + cfg.append(insertFileData("ca", mCaFilename)); + } break; case VpnProfile.TYPE_USERPASS_KEYSTORE: @@ -443,7 +448,7 @@ public class VpnProfile implements Serializable, Cloneable { if (ks[1] != null) cfg.append("<extra-certs>\n").append(ks[1]).append("\n</extra-certs>\n"); cfg.append("<cert>\n").append(ks[2]).append("\n</cert>\n"); - cfg.append("management-external-key\n"); + cfg.append("management-external-key nopadding\n"); } else { cfg.append(context.getString(R.string.keychain_access)).append("\n"); if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) @@ -1113,13 +1118,13 @@ public class VpnProfile implements Serializable, Cloneable { } @Nullable - public String getSignedData(Context c, String b64data) { + public String getSignedData(Context c, String b64data, boolean pkcs1padding) { byte[] data = Base64.decode(b64data, Base64.DEFAULT); byte[] signed_bytes; if (mAuthenticationType == TYPE_EXTERNAL_APP) signed_bytes = getExtAppSignedData(c, data); else - signed_bytes = getKeyChainSignedData(data); + signed_bytes = getKeyChainSignedData(data, pkcs1padding); if (signed_bytes != null) return Base64.encodeToString(signed_bytes, Base64.NO_WRAP); @@ -1138,7 +1143,7 @@ public class VpnProfile implements Serializable, Cloneable { } } - private byte[] getKeyChainSignedData(byte[] data) { + private byte[] getKeyChainSignedData(byte[] data, boolean pkcs1padding) { PrivateKey privkey = getKeystoreKey(); // The Jelly Bean *evil* Hack @@ -1165,7 +1170,10 @@ public class VpnProfile implements Serializable, Cloneable { the public/private part in the TLS exchange */ Cipher signer; - signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); + if (pkcs1padding) + signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); + else + signer = Cipher.getInstance("RSA/ECB/NoPadding"); signer.init(Cipher.ENCRYPT_MODE, privkey); diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java index b2d26836..bfc91d90 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java +++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java @@ -751,7 +751,7 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement { private void processSignCommand(String b64data) {
- String signed_string = mProfile.getSignedData(mOpenVPNService, b64data);
+ String signed_string = mProfile.getSignedData(mOpenVPNService, b64data, false);
if (signed_string == null) {
managmentCommand("pk-sig\n");
diff --git a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java index 97a793a4..078fa218 100644 --- a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java +++ b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java @@ -241,7 +241,7 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable @Override public void external_pki_sign_request(ClientAPI_ExternalPKISignRequest signreq) { VpnStatus.logDebug("Got external PKI signing request from OpenVPN core"); - signreq.setSig(mVp.getSignedData(mService, signreq.getData())); + signreq.setSig(mVp.getSignedData(mService, signreq.getData(),true)); } void setUserPW() { |