From 13e05504181d87958af95365876a53e5015fafde Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 17 Jun 2012 17:48:52 +0200 Subject: - Fix last commit - Implement reading extra CA cert from file to fix keystore error on some mobile phones --- res/layout/basic_settings.xml | 6 ++++++ res/layout/file_dialog_main.xml | 2 +- res/layout/keystore_selector.xml | 2 +- res/values-de/strings.xml | 6 +++++- res/values/strings.xml | 8 +++++--- src/de/blinkt/openvpn/LaunchVPN.java | 2 +- src/de/blinkt/openvpn/OpenVPN.java | 11 +++++++++++ src/de/blinkt/openvpn/Settings_Basic.java | 6 +++++- src/de/blinkt/openvpn/VpnProfile.java | 30 +++++++++++++++++++++++++++++- 9 files changed, 64 insertions(+), 9 deletions(-) diff --git a/res/layout/basic_settings.xml b/res/layout/basic_settings.xml index d47ba207..409936e1 100644 --- a/res/layout/basic_settings.xml +++ b/res/layout/basic_settings.xml @@ -106,6 +106,12 @@ android:visibility="gone" > + + + android:text="@string/select_file" > diff --git a/res/layout/keystore_selector.xml b/res/layout/keystore_selector.xml index 21945104..211e977b 100644 --- a/res/layout/keystore_selector.xml +++ b/res/layout/keystore_selector.xml @@ -28,7 +28,7 @@ android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_alignParentRight="true" - android:text="@string/select_certificate" /> + android:text="@string/select" /> Clientzertifikat Clientzertifikatsschlüssel CA Zertifikat - Auswählen + Auswählen Nichts ausgewählt Über Typ @@ -171,5 +171,9 @@ Generiere OpenVPN Konfigration… Aktivieren dieser Option zwingt OpenVPN dazu beim Wechsel des Netzwerkes (WLAN zu Mobilfunk und umgekehrt) neu zu verbinden. Netzwerkänderungen beachten + Netzwerkstatus: %s + Beim Abfragen des Android KeyStore wurde kein CA Zertifikat zurückgegeben. Überprüfen des Serverzertifikat wird warscheinlich fehlschlagen. Geben Sie manuell ein CA Zertifikat an. + Zertifikat (KeyStore): \'%s\' + Das CA Zertifikat wird meist aus dem Zertifikatsspeicher automatisch ausgewählt. Sollte dies nicht funktionieren und Sie Verifizierungsprobleme erhalten(self signed certificate), wählen Sie manuell ein Zertifikat aus. \ No newline at end of file diff --git a/res/values/strings.xml b/res/values/strings.xml index 08bb0a27..f7c9817f 100644 --- a/res/values/strings.xml +++ b/res/values/strings.xml @@ -24,7 +24,6 @@ 1194 Location folder can\'t be read! - Select Cancel No Data LZO Compression @@ -33,7 +32,6 @@ Client Certificate Key PKCS12 File CA Certificate - Select Nothing selected Copyright © 2002–2010 OpenVPN Technologies, Inc. <sales@openvpn.net>\n @@ -57,6 +55,7 @@ All your precious VPNs Type PKCS12 Password + Select… Select… Nothing Selected Use TLS Authentication @@ -209,7 +208,10 @@ Building configration… Turning this option on will force a reconnet if the network state is change (WIFI to/from mobile) Reconnect on Network change - No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. Got certificate \'%s\' from Keystore Network Status: %s + The CA cert is usually returned from the Android Keystore. Specify a seperate certificate if you get certificate verification errors. + Select + No CA Certificate returned while reading from Android keystore. Auhtentication will probably fail. + diff --git a/src/de/blinkt/openvpn/LaunchVPN.java b/src/de/blinkt/openvpn/LaunchVPN.java index b4151c24..e76057d7 100644 --- a/src/de/blinkt/openvpn/LaunchVPN.java +++ b/src/de/blinkt/openvpn/LaunchVPN.java @@ -105,7 +105,7 @@ public class LaunchVPN extends ListActivity implements OnItemClickListener { if(Intent.ACTION_MAIN.equals(action)) { // we got called to be the starting point, most likely a shortcut String shortcutUUID = intent.getStringExtra( EXTRA_KEY); - String shortcutName = intent.getStringExtra( EXTRA_KEY); + String shortcutName = intent.getStringExtra( EXTRA_NAME); VpnProfile profileToConnect = ProfileManager.get(shortcutUUID); if(shortcutName != null && profileToConnect ==null) diff --git a/src/de/blinkt/openvpn/OpenVPN.java b/src/de/blinkt/openvpn/OpenVPN.java index 39533db3..b09eb60e 100644 --- a/src/de/blinkt/openvpn/OpenVPN.java +++ b/src/de/blinkt/openvpn/OpenVPN.java @@ -35,6 +35,12 @@ public class OpenVPN { mMessage = message; } + public LogItem(int loglevel, String msg) { + mLevel = loglevel; + mMessage = msg; + } + + String getString(Context c) { if(mMessage !=null) { return mMessage; @@ -144,6 +150,11 @@ public class OpenVPN { } } + public static void logError(String msg) { + newlogItem(new LogItem(LogItem.ERROR, msg)); + + } + } diff --git a/src/de/blinkt/openvpn/Settings_Basic.java b/src/de/blinkt/openvpn/Settings_Basic.java index bafee229..1b82b579 100644 --- a/src/de/blinkt/openvpn/Settings_Basic.java +++ b/src/de/blinkt/openvpn/Settings_Basic.java @@ -200,7 +200,7 @@ public class Settings_Basic extends Fragment implements View.OnClickListener, On mView.findViewById(R.id.userpassword).setVisibility(View.GONE); mView.findViewById(R.id.key_password_layout).setVisibility(View.GONE); - // Fallthroughs are by desing + // Fall through are by design switch(type) { case VpnProfile.TYPE_USERPASS_CERTIFICATES: mView.findViewById(R.id.userpassword).setVisibility(View.VISIBLE); @@ -210,18 +210,22 @@ public class Settings_Basic extends Fragment implements View.OnClickListener, On if(mProfile.requireTLSKeyPassword()) mView.findViewById(R.id.key_password_layout).setVisibility(View.VISIBLE); break; + case VpnProfile.TYPE_USERPASS_PKCS12: mView.findViewById(R.id.userpassword).setVisibility(View.VISIBLE); case VpnProfile.TYPE_PKCS12: mView.findViewById(R.id.pkcs12).setVisibility(View.VISIBLE); break; + case VpnProfile.TYPE_STATICKEYS: mView.findViewById(R.id.statickeys).setVisibility(View.VISIBLE); break; + case VpnProfile.TYPE_USERPASS_KEYSTORE: mView.findViewById(R.id.userpassword).setVisibility(View.VISIBLE); case VpnProfile.TYPE_KEYSTORE: mView.findViewById(R.id.keystore).setVisibility(View.VISIBLE); + mView.findViewById(R.id.cacert).setVisibility(View.VISIBLE); break; case VpnProfile.TYPE_USERPASS: diff --git a/src/de/blinkt/openvpn/VpnProfile.java b/src/de/blinkt/openvpn/VpnProfile.java index e9cb994a..7ca75723 100644 --- a/src/de/blinkt/openvpn/VpnProfile.java +++ b/src/de/blinkt/openvpn/VpnProfile.java @@ -1,17 +1,22 @@ package de.blinkt.openvpn; +import java.io.ByteArrayInputStream; import java.io.File; +import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.FileReader; import java.io.FileWriter; import java.io.IOException; +import java.io.InputStream; import java.io.Serializable; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; +import java.security.cert.Certificate; import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Collection; import java.util.Random; @@ -474,7 +479,7 @@ public class VpnProfile implements Serializable{ try { privateKey = KeyChain.getPrivateKey(context,mAlias); cachain = KeyChain.getCertificateChain(context, mAlias); - if(cachain.length <= 1) + if(cachain.length <= 1 && !nonNull(mCaFilename)) OpenVPN.logMessage(0, "", context.getString(R.string.keychain_nocacert)); @@ -484,6 +489,15 @@ public class VpnProfile implements Serializable{ KeyStore ks = KeyStore.getInstance("PKCS12"); ks.load(null, null); + if(nonNull(mCaFilename)) { + try { + Certificate cacert = getCacertFromFile(); + + ks.setCertificateEntry("cacert", cacert); + } catch (Exception e) { + OpenVPN.logError("Could not read CA certificate" + e.getLocalizedMessage()); + } + } ks.setKeyEntry("usercert", privateKey, null, cachain); String mypw = getTemporaryPKCS12Password(); FileOutputStream fout = new FileOutputStream(context.getCacheDir().getAbsolutePath() + "/" + VpnProfile.OVPNCONFIGPKCS12); @@ -507,6 +521,20 @@ public class VpnProfile implements Serializable{ } } + private Certificate getCacertFromFile() throws FileNotFoundException, CertificateException { + CertificateFactory certFact = CertificateFactory.getInstance("X.509"); + + InputStream inStream; + + if(mCaFilename.startsWith(INLINE_TAG)) + inStream = new ByteArrayInputStream(mCaFilename.replace(INLINE_TAG,"").getBytes()); + else + inStream = new FileInputStream(mCaFilename); + + return certFact.generateCertificate(inStream); + } + + //! Return an error if somethign is wrong int checkProfile() { if((mAuthenticationType==TYPE_KEYSTORE || mAuthenticationType==TYPE_USERPASS_KEYSTORE) && mAlias==null) -- cgit v1.2.3