From 3cb8f44a92471e43589a80067380d7b262c18c20 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 8 Oct 2018 00:49:11 +0300 Subject: Use TLS 1.3 compatible external key management --- main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 18 +++++++++++++----- .../blinkt/openvpn/core/OpenVpnManagementThread.java | 2 +- .../java/de/blinkt/openvpn/core/OpenVPNThreadv3.java | 2 +- 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index db8f157c..1ac4d2ca 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -429,6 +429,11 @@ public class VpnProfile implements Serializable, Cloneable { cfg.append("auth-user-pass\n"); case VpnProfile.TYPE_PKCS12: cfg.append(insertFileData("pkcs12", mPKCS12Filename)); + + if (!TextUtils.isEmpty(mCaFilename)) + { + cfg.append(insertFileData("ca", mCaFilename)); + } break; case VpnProfile.TYPE_USERPASS_KEYSTORE: @@ -443,7 +448,7 @@ public class VpnProfile implements Serializable, Cloneable { if (ks[1] != null) cfg.append("\n").append(ks[1]).append("\n\n"); cfg.append("\n").append(ks[2]).append("\n\n"); - cfg.append("management-external-key\n"); + cfg.append("management-external-key nopadding\n"); } else { cfg.append(context.getString(R.string.keychain_access)).append("\n"); if (Build.VERSION.SDK_INT == Build.VERSION_CODES.JELLY_BEAN) @@ -1113,13 +1118,13 @@ public class VpnProfile implements Serializable, Cloneable { } @Nullable - public String getSignedData(Context c, String b64data) { + public String getSignedData(Context c, String b64data, boolean pkcs1padding) { byte[] data = Base64.decode(b64data, Base64.DEFAULT); byte[] signed_bytes; if (mAuthenticationType == TYPE_EXTERNAL_APP) signed_bytes = getExtAppSignedData(c, data); else - signed_bytes = getKeyChainSignedData(data); + signed_bytes = getKeyChainSignedData(data, pkcs1padding); if (signed_bytes != null) return Base64.encodeToString(signed_bytes, Base64.NO_WRAP); @@ -1138,7 +1143,7 @@ public class VpnProfile implements Serializable, Cloneable { } } - private byte[] getKeyChainSignedData(byte[] data) { + private byte[] getKeyChainSignedData(byte[] data, boolean pkcs1padding) { PrivateKey privkey = getKeystoreKey(); // The Jelly Bean *evil* Hack @@ -1165,7 +1170,10 @@ public class VpnProfile implements Serializable, Cloneable { the public/private part in the TLS exchange */ Cipher signer; - signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); + if (pkcs1padding) + signer = Cipher.getInstance("RSA/ECB/PKCS1PADDING"); + else + signer = Cipher.getInstance("RSA/ECB/NoPadding"); signer.init(Cipher.ENCRYPT_MODE, privkey); diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java index b2d26836..bfc91d90 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java +++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVpnManagementThread.java @@ -751,7 +751,7 @@ public class OpenVpnManagementThread implements Runnable, OpenVPNManagement { private void processSignCommand(String b64data) { - String signed_string = mProfile.getSignedData(mOpenVPNService, b64data); + String signed_string = mProfile.getSignedData(mOpenVPNService, b64data, false); if (signed_string == null) { managmentCommand("pk-sig\n"); diff --git a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java index 97a793a4..078fa218 100644 --- a/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java +++ b/main/src/ovpn3/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java @@ -241,7 +241,7 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable @Override public void external_pki_sign_request(ClientAPI_ExternalPKISignRequest signreq) { VpnStatus.logDebug("Got external PKI signing request from OpenVPN core"); - signreq.setSig(mVp.getSignedData(mService, signreq.getData())); + signreq.setSig(mVp.getSignedData(mService, signreq.getData(),true)); } void setUserPW() { -- cgit v1.2.3