summaryrefslogtreecommitdiff
path: root/main/src
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2018-10-08 00:49:11 +0300
committerArne Schwabe <arne@rfc2549.org>2018-10-08 00:49:11 +0300
commit3cb8f44a92471e43589a80067380d7b262c18c20 (patch)
tree821d271d3fb986c65f3a54da5a79b4652811fcb1 /main/src
parentde2173c73acd042d5364685ac36fa287161face2 (diff)
Use TLS 1.3 compatible external key management
Diffstat (limited to 'main/src')
-rw-r--r--main/src/main/java/de/blinkt/openvpn/VpnProfile.java18
-rw-r--r--main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java2
-rw-r--r--main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java2
3 files changed, 15 insertions, 7 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index db8f157c..1ac4d2ca 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -429,6 +429,11 @@ public class VpnProfile implements Serializable, Cloneable {
cfg.append("auth-user-pass\n");
case VpnProfile.TYPE_PKCS12:
cfg.append(insertFileData("pkcs12", mPKCS12Filename));
+
+ if (!TextUtils.isEmpty(mCaFilename))
+ {
+ cfg.append(insertFileData("ca", mCaFilename));
+ }
break;
case VpnProfile.TYPE_USERPASS_KEYSTORE:
@@ -443,7 +448,7 @@ public class VpnProfile implements Serializable, Cloneable {
if (ks[1] != null)
cfg.append("<extra-certs>\n").append(ks[1]).append("\n</extra-certs>\n");
cfg.append("<cert>\n").append(ks[2]).append("\n</cert>\n");
- cfg.append("management-external-key\n");
+ cfg.append("management-external-key nopadding\n");
} else {
cfg.append(context.getString(R.string.keychain_access)).append("\n");
if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN)
@@ -1113,13 +1118,13 @@ public class VpnProfile implements Serializable, Cloneable {
}
@Nullable
- public String getSignedData(Context c, String b64data) {
+ public String getSignedData(Context c, String b64data, boolean pkcs1padding) {
byte[] data = Base64.decode(b64data, Base64.DEFAULT);
byte[] signed_bytes;
if (mAuthenticationType == TYPE_EXTERNAL_APP)
signed_bytes = getExtAppSignedData(c, data);
else
- signed_bytes = getKeyChainSignedData(data);
+ signed_bytes = getKeyChainSignedData(data, pkcs1padding);
if (signed_bytes != null)
return Base64.encodeToString(signed_bytes, Base64.NO_WRAP);
@@ -1138,7 +1143,7 @@ public class VpnProfile implements Serializable, Cloneable {
}
}
- private byte[] getKeyChainSignedData(byte[] data) {
+ private byte[] getKeyChainSignedData(byte[] data, boolean pkcs1padding) {
PrivateKey privkey = getKeystoreKey();
// The Jelly Bean *evil* Hack
@@ -1165,7 +1170,10 @@ public class VpnProfile implements Serializable, Cloneable {
the public/private part in the TLS exchange
*/
Cipher signer;
- signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+ if (pkcs1padding)
+ signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+ else
+ signer = Cipher.getInstance("RSA/ECB/NoPadding");
signer.init(Cipher.ENCRYPT_MODE, privkey);
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
index b2d26836..bfc91d90 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
@@ -751,7 +751,7 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement {
private void processSignCommand(String b64data) {
- String signed_string = mProfile.getSignedData(mOpenVPNService, b64data);
+ String signed_string = mProfile.getSignedData(mOpenVPNService, b64data, false);
if (signed_string == null) {
managmentCommand("pk-sig\n");
diff --git a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
index 97a793a4..078fa218 100644
--- a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
+++ b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@@ -241,7 +241,7 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
@Override
public void external_pki_sign_request(ClientAPI_ExternalPKISignRequest signreq) {
VpnStatus.logDebug("Got external PKI signing request from OpenVPN core");
- signreq.setSig(mVp.getSignedData(mService, signreq.getData()));
+ signreq.setSig(mVp.getSignedData(mService, signreq.getData(),true));
}
void setUserPW() {