Android HPKP

standardnotes · Nov 18, 2019 · 6beb384 · 6beb384
1 parent e87d392
commit 6beb384
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 8 deletions.
diff --git a/android/app/src/main/java/com/standardnotes/CustomClientFactory.java b/android/app/src/main/java/com/standardnotes/CustomClientFactory.java
@@ -0,0 +1,32 @@
+package com.standardnotes;
+
+import com.facebook.react.modules.network.OkHttpClientFactory;
+import com.facebook.react.modules.network.OkHttpClientProvider;
+import com.facebook.react.modules.network.ReactCookieJarContainer;
+import java.util.concurrent.TimeUnit;
+import okhttp3.CertificatePinner;
+import okhttp3.OkHttpClient;
+
+public class CustomClientFactory implements OkHttpClientFactory {
+    private static String hostname = "*.standardnotes.org";
+    @Override
+    public OkHttpClient createNewNetworkModuleClient() {
+        CertificatePinner certificatePinner = new CertificatePinner.Builder()
+                .add(hostname, "sha256/Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=")
+                .add(hostname, "sha256/C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=")
+                .add(hostname, "sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=")
+                .add(hostname, "sha256/sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=")
+                .add(hostname, "sha256/++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=")
+                .add(hostname, "sha256/f0KW/FtqTjs108NpYj42SrGvOB2PpxIVM8nWxjPqJGE=")
+                .add(hostname, "sha256/NqvDJlas/GRcYbcWE8S/IceH9cq77kg0jVhZeAPXq8k=")
+                .add(hostname, "sha256/9+ze1cZgR9KO1kZrVDxA4HQ6voHRCSVNz4RdTCx4U8U=")
+                .build();
+        OkHttpClient.Builder client = new OkHttpClient.Builder()
+                .connectTimeout(0, TimeUnit.MILLISECONDS)
+                .readTimeout(0, TimeUnit.MILLISECONDS)
+                .writeTimeout(0, TimeUnit.MILLISECONDS)
+                .cookieJar(new ReactCookieJarContainer())
+                .certificatePinner(certificatePinner);
+        return OkHttpClientProvider.enableTls12OnPreLollipop(client).build();
+    }
+}
diff --git a/android/app/src/main/java/com/standardnotes/MainApplication.java b/android/app/src/main/java/com/standardnotes/MainApplication.java
@@ -1,5 +1,7 @@
 package com.standardnotes;
 
+import com.facebook.react.modules.network.OkHttpClientProvider;
+
 import android.app.Application;
 import android.app.Activity;
 import android.content.Intent;
@@ -81,6 +83,8 @@ public ReactNativeHost getReactNativeHost() {
   public void onCreate() {
     super.onCreate();
 
+    rebuildOkHtttp();
+
     SoLoader.init(this, /* native exopackage */ false);
 
     registerActivityLifecycleCallbacks(new ActivityLifecycleCallbacks() {
@@ -124,4 +128,8 @@ public void onActivityDestroyed(Activity activity) {
       BugsnagReactNative.start(this);
     }
   }
+
+  private void rebuildOkHtttp() {
+    OkHttpClientProvider.setOkHttpClientFactory(new CustomClientFactory());
+  }
 }
diff --git a/ios/StandardNotes.xcodeproj/project.pbxproj b/ios/StandardNotes.xcodeproj/project.pbxproj
@@ -56,7 +56,8 @@
 		CD399CE321E181C7006106AE /* Red.png in Resources */ = {isa = PBXBuildFile; fileRef = CD399CE021E181C6006106AE /* Red.png */; };
 		CD399CE421E181C7006106AE /* [email protected] in Resources */ = {isa = PBXBuildFile; fileRef = CD399CE121E181C7006106AE /* [email protected] */; };
 		CD399CE521E181C7006106AE /* [email protected] in Resources */ = {isa = PBXBuildFile; fileRef = CD399CE221E181C7006106AE /* [email protected] */; };
-		CD50B91C23832722003C261C /* TrustKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD50B90C238325F4003C261C /* TrustKit.framework */; };
+		CD50BA5D238346A9003C261C /* TrustKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD50B90C238325F4003C261C /* TrustKit.framework */; };
+		CD50BA5E238346AA003C261C /* TrustKit.framework in Embed Frameworks */ = {isa = PBXBuildFile; fileRef = CD50B90C238325F4003C261C /* TrustKit.framework */; settings = {ATTRIBUTES = (CodeSignOnCopy, RemoveHeadersOnCopy, ); }; };
 		CD534871234FD44900FCD828 /* libSNReactNative.a in Frameworks */ = {isa = PBXBuildFile; fileRef = CD534870234FD43200FCD828 /* libSNReactNative.a */; };
 		CD743C792342ACC700535CC9 /* JavaScriptCore.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = ED297162215061F000B7C4FE /* JavaScriptCore.framework */; };
 		CD743CCE2342AD3F00535CC9 /* JavaScriptCore.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = ED297162215061F000B7C4FE /* JavaScriptCore.framework */; };
@@ -547,6 +548,20 @@
 		};
 /* End PBXContainerItemProxy section */
 
+/* Begin PBXCopyFilesBuildPhase section */
+		CD50BA5F238346AA003C261C /* Embed Frameworks */ = {
+			isa = PBXCopyFilesBuildPhase;
+			buildActionMask = 2147483647;
+			dstPath = "";
+			dstSubfolderSpec = 10;
+			files = (
+				CD50BA5E238346AA003C261C /* TrustKit.framework in Embed Frameworks */,
+			);
+			name = "Embed Frameworks";
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXCopyFilesBuildPhase section */
+
 /* Begin PBXFileReference section */
 		00457F9447544666906F6C53 /* Zocial.ttf */ = {isa = PBXFileReference; explicitFileType = undefined; fileEncoding = 9; includeInIndex = 0; lastKnownFileType = unknown; name = Zocial.ttf; path = "../node_modules/react-native-vector-icons/Fonts/Zocial.ttf"; sourceTree = "<group>"; };
 		008F07F21AC5B25A0029DE68 /* main.jsbundle */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = main.jsbundle; sourceTree = "<group>"; };
@@ -636,7 +651,6 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				CD50B91C23832722003C261C /* TrustKit.framework in Frameworks */,
 				CD534871234FD44900FCD828 /* libSNReactNative.a in Frameworks */,
 				ED297163215061F000B7C4FE /* JavaScriptCore.framework in Frameworks */,
 				CD399CD021E16BD6006106AE /* libReactNativeAlternateIcons.a in Frameworks */,
@@ -650,6 +664,7 @@
 				5E9157361DD0AC6A00FF2AA8 /* libRCTAnimation.a in Frameworks */,
 				00C302E51ABCBA2D00DB3ED1 /* libRCTActionSheet.a in Frameworks */,
 				00C302E71ABCBA2D00DB3ED1 /* libRCTGeolocation.a in Frameworks */,
+				CD50BA5D238346A9003C261C /* TrustKit.framework in Frameworks */,
 				00C302E81ABCBA2D00DB3ED1 /* libRCTImage.a in Frameworks */,
 				133E29F31AD74F7200F7D852 /* libRCTLinking.a in Frameworks */,
 				00C302E91ABCBA2D00DB3ED1 /* libRCTNetwork.a in Frameworks */,
@@ -1131,6 +1146,7 @@
 				13B07F8C1A680F5B00A75B9A /* Frameworks */,
 				13B07F8E1A680F5B00A75B9A /* Resources */,
 				00DD1BFF1BD5951E006B06BC /* Bundle React Native code and images */,
+				CD50BA5F238346AA003C261C /* Embed Frameworks */,
 			);
 			buildRules = (
 			);

diff --git a/ios/StandardNotes/AppDelegate.m b/ios/StandardNotes/AppDelegate.m
@@ -12,10 +12,10 @@ - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(
 {
   [BugsnagReactNative start];
 
-  [self disableUrlCache];
-
   [self configurePinning];
 
+  [self disableUrlCache];
+
   [self clearWebEditorCache];
 
   RCTBridge *bridge = [[RCTBridge alloc] initWithDelegate:self launchOptions:launchOptions];
@@ -64,17 +64,17 @@ - (void)configurePinning {
 
     // The list of domains we want to pin and their configuration
     kTSKPinnedDomains: @{
-      @"sync.standardnotes.org" : @{
+      @"standardnotes.org" : @{
         kTSKIncludeSubdomains:@YES,
 
-        // Do not block connections if pinning validation failed so the App doesn't break
-        kTSKEnforcePinning:@NO,
+        kTSKEnforcePinning:@YES,
 
         // Send reports for pin validation failures so we can track them
-        kTSKReportUris: @[@"https://standard.report-uri.com/r/d/csp/reportOnly"],
+        kTSKReportUris: @[@"https://standard.report-uri.com/r/d/hpkp/reportOnly"],
 
         // The pinned public keys' Subject Public Key Info hashes
         kTSKPublicKeyHashes : @[
+          @"Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=",
           @"C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=",
           @"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=",
           @"sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=",