Use TLS 1.3 compatible external key management

author: Arne Schwabe <arne@rfc2549.org> 2018-10-08 00:49:11 +0300
committer: Arne Schwabe <arne@rfc2549.org> 2018-10-08 00:49:11 +0300
commit: 3cb8f44a92471e43589a80067380d7b262c18c20 (patch)
tree: 821d271d3fb986c65f3a54da5a79b4652811fcb1 /main
parent: de2173c73acd042d5364685ac36fa287161face2 (diff)
3 files changed, 15 insertions, 7 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index db8f157c..1ac4d2ca 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -429,6 +429,11 @@ public class VpnProfile implements Serializable, Cloneable {
                 cfg.append("auth-user-pass\n");
             case VpnProfile.TYPE_PKCS12:
                 cfg.append(insertFileData("pkcs12", mPKCS12Filename));
+
+                if (!TextUtils.isEmpty(mCaFilename))
+                {
+                    cfg.append(insertFileData("ca", mCaFilename));
+                }
                 break;
 
             case VpnProfile.TYPE_USERPASS_KEYSTORE:
@@ -443,7 +448,7 @@ public class VpnProfile implements Serializable, Cloneable {
                         if (ks[1] != null)
                             cfg.append("<extra-certs>\n").append(ks[1]).append("\n</extra-certs>\n");
                         cfg.append("<cert>\n").append(ks[2]).append("\n</cert>\n");
-                        cfg.append("management-external-key\n");
+                        cfg.append("management-external-key nopadding\n");
                     } else {
                         cfg.append(context.getString(R.string.keychain_access)).append("\n");
                         if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN)
@@ -1113,13 +1118,13 @@ public class VpnProfile implements Serializable, Cloneable {
     }
 
     @Nullable
-    public String getSignedData(Context c, String b64data) {
+    public String getSignedData(Context c, String b64data, boolean pkcs1padding) {
         byte[] data = Base64.decode(b64data, Base64.DEFAULT);
         byte[] signed_bytes;
         if (mAuthenticationType == TYPE_EXTERNAL_APP)
             signed_bytes = getExtAppSignedData(c, data);
         else
-            signed_bytes = getKeyChainSignedData(data);
+            signed_bytes = getKeyChainSignedData(data, pkcs1padding);
 
         if (signed_bytes != null)
             return Base64.encodeToString(signed_bytes, Base64.NO_WRAP);
@@ -1138,7 +1143,7 @@ public class VpnProfile implements Serializable, Cloneable {
         }
     }
 
-    private byte[] getKeyChainSignedData(byte[] data) {
+    private byte[] getKeyChainSignedData(byte[] data, boolean pkcs1padding) {
 
         PrivateKey privkey = getKeystoreKey();
         // The Jelly Bean *evil* Hack
@@ -1165,7 +1170,10 @@ public class VpnProfile implements Serializable, Cloneable {
                the public/private part in the TLS exchange
              */
                 Cipher signer;
-                signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+                if (pkcs1padding)
+                    signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
+                else
+                    signer = Cipher.getInstance("RSA/ECB/NoPadding");
 
 
                 signer.init(Cipher.ENCRYPT_MODE, privkey);
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
index b2d26836..bfc91d90 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java
@@ -751,7 +751,7 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement {
 
     private void processSignCommand(String b64data) {
 
-        String signed_string = mProfile.getSignedData(mOpenVPNService, b64data);
+        String signed_string = mProfile.getSignedData(mOpenVPNService, b64data, false);
 
         if (signed_string == null) {
             managmentCommand("pk-sig\n");
diff --git a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
index 97a793a4..078fa218 100644
--- a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
+++ b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@@ -241,7 +241,7 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
 	@Override
 	public void external_pki_sign_request(ClientAPI_ExternalPKISignRequest signreq) {
 		VpnStatus.logDebug("Got external PKI signing request from OpenVPN core");
-		signreq.setSig(mVp.getSignedData(mService, signreq.getData()));
+		signreq.setSig(mVp.getSignedData(mService, signreq.getData(),true));
 	}
 
 	void setUserPW() {
author	Arne Schwabe <arne@rfc2549.org>	2018-10-08 00:49:11 +0300
committer	Arne Schwabe <arne@rfc2549.org>	2018-10-08 00:49:11 +0300
commit	3cb8f44a92471e43589a80067380d7b262c18c20 (patch)
tree	821d271d3fb986c65f3a54da5a79b4652811fcb1 /main
parent	de2173c73acd042d5364685ac36fa287161face2 (diff)