mirror/FairEmail
1
0
Fork 0
mirror of https://github.com/M66B/FairEmail.git synced 2025-01-03 13:44:40 +00:00
Code Issues Releases Wiki Activity

Added certificate transparency

Browse source
This commit is contained in:
M66B 2023-12-30 14:22:24 +01:00
parent 5035c38624
commit 459a545a40
9 changed files with 74 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/build.gradle
View file

@ -542,6 +542,7 @@ dependencies {
def biometric_version = "1.2.0-alpha05"
def billingclient_version = "6.0.1"
def playservicesbase_version = "18.2.0";
def transparency_version = "2.5.19"
def javamail_version = "1.6.7"
def jsoup_version = "1.16.2"
def jsonpath_version = "2.8.0"
@ -689,6 +690,9 @@ dependencies {
largeImplementation "com.google.android.gms:play-services-basement:$playservicesbase_version"
playImplementation "com.google.android.gms:play-services-basement:$playservicesbase_version"
// https://github.com/appmattus/certificatetransparency
implementation "com.appmattus.certificatetransparency:certificatetransparency-android:$transparency_version"
// https://developer.amazon.com/docs/in-app-purchasing/iap-get-started.html
amazonImplementation files('lib/in-app-purchasing-2.0.76.jar')

2
app/src/main/java/eu/faircode/email/DebugHelper.java
View file

@ -1117,6 +1117,7 @@ public class DebugHelper {
boolean ssl_harden = prefs.getBoolean("ssl_harden", false);
boolean ssl_harden_strict = (ssl_harden && prefs.getBoolean("ssl_harden_strict", false));
boolean cert_strict = prefs.getBoolean("cert_strict", true);
boolean cert_transparency = prefs.getBoolean("cert_transparency", false);
boolean open_safe = prefs.getBoolean("open_safe", false);
size += write(os, "timeout=" + timeout + "s" + (timeout == EmailService.DEFAULT_CONNECT_TIMEOUT ? "" : " !!!") + "\r\n");
@ -1144,6 +1145,7 @@ public class DebugHelper {
size += write(os, "ssl_harden=" + ssl_harden + (ssl_harden ? " !!!" : "") + "\r\n");
size += write(os, "ssl_harden_strict=" + ssl_harden_strict + (ssl_harden_strict ? " !!!" : "") + "\r\n");
size += write(os, "cert_strict=" + cert_strict + (cert_strict ? " !!!" : "") + "\r\n");
size += write(os, "cert_transparency=" + cert_transparency + (cert_transparency ? " !!!" : "") + "\r\n");
size += write(os, "open_safe=" + open_safe + "\r\n");
size += write(os, "\r\n");

10
app/src/main/java/eu/faircode/email/EmailService.java
View file

@ -103,6 +103,7 @@ public class EmailService implements AutoCloseable {
private boolean ssl_harden;
private boolean ssl_harden_strict;
private boolean cert_strict;
private boolean cert_transparency;
private boolean check_names;
private boolean useip;
private String ehlo;
@ -191,6 +192,7 @@ public class EmailService implements AutoCloseable {
this.ssl_harden = prefs.getBoolean("ssl_harden", false);
this.ssl_harden_strict = prefs.getBoolean("ssl_harden_strict", false);
this.cert_strict = prefs.getBoolean("cert_strict", true);
this.cert_transparency = prefs.getBoolean("cert_transparency", false);
this.check_names = prefs.getBoolean("check_names", !BuildConfig.PLAY_STORE_RELEASE);
boolean auth_plain = prefs.getBoolean("auth_plain", true);
@ -452,7 +454,7 @@ public class EmailService implements AutoCloseable {
boolean bc = prefs.getBoolean("bouncy_castle", false);
boolean fips = prefs.getBoolean("bc_fips", false);
factory = new SSLSocketFactoryService(
host, insecure, ssl_harden, strict, cert_strict, check_names, bc, fips, key, chain, fingerprint);
host, insecure, ssl_harden, strict, cert_strict, cert_transparency, check_names, bc, fips, key, chain, fingerprint);
properties.put("mail." + protocol + ".ssl.socketFactory", factory);
properties.put("mail." + protocol + ".socketFactory.fallback", "false");
properties.put("mail." + protocol + ".ssl.checkserveridentity", "false");
@ -1034,23 +1036,21 @@ public class EmailService implements AutoCloseable {
private boolean secure;
private boolean ssl_harden;
private boolean ssl_harden_strict;
private boolean cert_strict;
private String trustedFingerprint;
private SSLSocketFactory factory;
private X509Certificate certificate;
SSLSocketFactoryService(String host, boolean insecure,
boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean check_names,
boolean ssl_harden, boolean ssl_harden_strict, boolean cert_strict, boolean cert_transparency, boolean check_names,
boolean bc, boolean fips,
PrivateKey key, X509Certificate[] chain, String fingerprint) throws GeneralSecurityException {
this.server = host;
this.secure = !insecure;
this.ssl_harden = ssl_harden;
this.ssl_harden_strict = ssl_harden_strict;
this.cert_strict = cert_strict;
this.trustedFingerprint = fingerprint;
TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, check_names, trustedFingerprint,
TrustManager[] tms = SSLHelper.getTrustManagers(server, secure, cert_strict, cert_transparency, check_names, trustedFingerprint,
new SSLHelper.ITrust() {
@Override
public void checkServerTrusted(X509Certificate[] chain) {

21
app/src/main/java/eu/faircode/email/FragmentOptionsConnection.java
View file

@ -100,6 +100,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
private SwitchCompat swSslHarden;
private SwitchCompat swSslHardenStrict;
private SwitchCompat swCertStrict;
private SwitchCompat swCertTransparency;
private ImageButton ibCertTransparency;
private SwitchCompat swCheckNames;
private SwitchCompat swOpenSafe;
private SwitchCompat swHttpRedirect;
@ -125,7 +127,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
"download_headers", "download_eml", "download_plain",
"require_validated", "require_validated_captive", "vpn_only",
"timeout", "prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive",
"ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "check_names",
"ssl_update", "ssl_harden", "ssl_harden_strict", "cert_strict", "cert_transparency", "check_names",
"open_safe", "http_redirect",
"bouncy_castle", "bc_fips"
};
@ -162,6 +164,8 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swSslHarden = view.findViewById(R.id.swSslHarden);
swSslHardenStrict = view.findViewById(R.id.swSslHardenStrict);
swCertStrict = view.findViewById(R.id.swCertStrict);
swCertTransparency = view.findViewById(R.id.swCertTransparency);
ibCertTransparency = view.findViewById(R.id.ibCertTransparency);
swCheckNames = view.findViewById(R.id.swCheckNames);
swOpenSafe = view.findViewById(R.id.swOpenSafe);
swHttpRedirect = view.findViewById(R.id.swHttpRedirect);
@ -381,6 +385,20 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
}
});
swCertTransparency.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
prefs.edit().putBoolean("cert_transparency", checked).apply();
}
});
ibCertTransparency.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
Helper.view(v.getContext(), Uri.parse(Helper.URI_CERT_TRANSPARENCY), true);
}
});
swCheckNames.setOnCheckedChangeListener(new CompoundButton.OnCheckedChangeListener() {
@Override
public void onCheckedChanged(CompoundButton compoundButton, boolean checked) {
@ -704,6 +722,7 @@ public class FragmentOptionsConnection extends FragmentBase implements SharedPre
swSslHardenStrict.setChecked(prefs.getBoolean("ssl_harden_strict", false));
swSslHardenStrict.setEnabled(swSslHarden.isChecked());
swCertStrict.setChecked(prefs.getBoolean("cert_strict", true));
swCertTransparency.setChecked(prefs.getBoolean("cert_transparency", false));
swCheckNames.setChecked(prefs.getBoolean("check_names", !BuildConfig.PLAY_STORE_RELEASE));
swOpenSafe.setChecked(prefs.getBoolean("open_safe", false));
swHttpRedirect.setChecked(prefs.getBoolean("http_redirect", true));

1
app/src/main/java/eu/faircode/email/Helper.java
View file

@ -225,6 +225,7 @@ public class Helper {
static final String DONTKILL_URI = "https://dontkillmyapp.com/";
static final String URI_SUPPORT_RESET_OPEN = "https://support.google.com/pixelphone/answer/6271667";
static final String URI_SUPPORT_CONTACT_GROUP = "https://support.google.com/contacts/answer/30970";
static final String URI_CERT_TRANSPARENCY = "https://github.com/appmattus/certificatetransparency/blob/main/docs/what-is-certificate-transparency.md";
// https://developer.android.com/distribute/marketing-tools/linking-to-google-play#PerformingSearch
private static final String PLAY_STORE_SEARCH = "https://play.google.com/store/search";

17
app/src/main/java/eu/faircode/email/SSLHelper.java
View file

@ -4,6 +4,10 @@ import android.text.TextUtils;
import androidx.annotation.NonNull;
import com.appmattus.certificatetransparency.CTLogger;
import com.appmattus.certificatetransparency.CTTrustManagerBuilder;
import com.appmattus.certificatetransparency.VerificationResult;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.KeyStore;
@ -21,7 +25,7 @@ import javax.net.ssl.X509TrustManager;
public class SSLHelper {
static TrustManager[] getTrustManagers(
String server, boolean secure, boolean cert_strict, boolean check_names, String trustedFingerprint, ITrust intf) {
String server, boolean secure, boolean cert_strict, boolean transparency, boolean check_names, String trustedFingerprint, ITrust intf) {
TrustManagerFactory tmf;
try {
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
@ -43,7 +47,16 @@ public class SSLHelper {
for (TrustManager tm : tms)
Log.e("Trust manager " + tm.getClass());
final X509TrustManager rtm = (X509TrustManager) tms[0];
CTLogger logger = new CTLogger() {
@Override
public void log(@NonNull String host, @NonNull VerificationResult result) {
Log.w("Transparency: host=" + host + " result=" + result);
}
};
final X509TrustManager rtm = (transparency
? new CTTrustManagerBuilder((X509TrustManager) tms[0]).setLogger(logger).build()
: (X509TrustManager) tms[0]);
return new TrustManager[]{new X509TrustManager() {
// openssl s_client -connect <host>

2
app/src/main/java/eu/faircode/email/ServiceSynchronize.java
View file

@ -172,7 +172,7 @@ public class ServiceSynchronize extends ServiceBase implements SharedPreferences
"sync_shared_folders",
"download_headers", "download_eml",
"prefer_ip4", "bind_socket", "standalone_vpn", "tcp_keep_alive", // force reconnect
"ssl_harden", "ssl_harden_strict", "cert_strict", "check_names", "bouncy_castle", "bc_fips", // force reconnect
"ssl_harden", "ssl_harden_strict", "cert_strict", "cert_transparency", "check_names", "bouncy_castle", "bc_fips", // force reconnect
"experiments", "debug", "protocol", // force reconnect
"auth_plain", "auth_login", "auth_ntlm", "auth_sasl", "auth_apop", // force reconnect
"keep_alive_poll", "empty_pool", "idle_done", // force reconnect

26
app/src/main/res/layout/fragment_options_connection.xml
View file

@ -533,6 +533,30 @@
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swCertStrict" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swCertTransparency"
android:layout_width="0dp"
android:layout_height="wrap_content"
android:layout_marginTop="12dp"
android:checked="true"
android:text="@string/title_advanced_cert_transparency"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint"
app:switchPadding="12dp" />
<ImageButton
android:id="@+id/ibCertTransparency"
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:layout_marginStart="12dp"
android:layout_marginTop="6dp"
android:contentDescription="@string/title_info"
android:tooltipText="@string/title_info"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/swCertTransparency"
app:srcCompat="@drawable/twotone_info_24" />
<androidx.appcompat.widget.SwitchCompat
android:id="@+id/swCheckNames"
android:layout_width="0dp"
@ -542,7 +566,7 @@
android:text="@string/title_advanced_check_names"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@id/tvCertStrictHint"
app:layout_constraintTop_toBottomOf="@id/ibCertTransparency"
app:switchPadding="12dp" />
<androidx.appcompat.widget.SwitchCompat

1
app/src/main/res/values/strings.xml
View file

@ -522,6 +522,7 @@
<string name="title_advanced_ssl_harden">Harden SSL connections</string>
<string name="title_advanced_ssl_harden_strict">Require TLS 1.3</string>
<string name="title_advanced_cert_strict">Strict certificate checking</string>
<string name="title_advanced_cert_transparency">Certificate transparency</string>
<string name="title_advanced_check_names">Check host names against server certificates</string>
<string name="title_advanced_open_safe">Open secure connections only</string>
<string name="title_advanced_http_redirect">Allow connection redirection</string>