android: Adding tlsa verification v1

2023-08-30 13:38:32 +10:00 · 2023-08-30 13:38:32 +10:00 · 612b9f27e0
commit 612b9f27e0
parent 358d5e75af
12 changed files with 84 additions and 10 deletions
--- a/.gradle/8.0/checksums/checksums.lock
+++ b/.gradle/8.0/checksums/checksums.lock
--- a/.gradle/8.0/checksums/md5-checksums.bin
+++ b/.gradle/8.0/checksums/md5-checksums.bin
--- a/.gradle/8.0/checksums/sha1-checksums.bin
+++ b/.gradle/8.0/checksums/sha1-checksums.bin
--- a/.gradle/8.0/executionHistory/executionHistory.bin
+++ b/.gradle/8.0/executionHistory/executionHistory.bin
--- a/.gradle/8.0/executionHistory/executionHistory.lock
+++ b/.gradle/8.0/executionHistory/executionHistory.lock
--- a/.gradle/8.0/fileHashes/fileHashes.bin
+++ b/.gradle/8.0/fileHashes/fileHashes.bin
--- a/.gradle/8.0/fileHashes/fileHashes.lock
+++ b/.gradle/8.0/fileHashes/fileHashes.lock
--- a/.gradle/8.0/fileHashes/resourceHashesCache.bin
+++ b/.gradle/8.0/fileHashes/resourceHashesCache.bin
--- a/.gradle/buildOutputCleanup/buildOutputCleanup.lock
+++ b/.gradle/buildOutputCleanup/buildOutputCleanup.lock
--- a/.gradle/buildOutputCleanup/outputFiles.bin
+++ b/.gradle/buildOutputCleanup/outputFiles.bin
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@ -39,6 +39,7 @@ dependencies {
    testImplementation("junit:junit:4.13.2")
    androidTestImplementation("androidx.test.ext:junit:1.1.5")
    androidTestImplementation("androidx.test.espresso:espresso-core:3.5.1")
-    implementation("androidx.webkit:webkit:1.3.0")
+    implementation("androidx.webkit:webkit:1.7.0")
-    implementation("androidx.core:core-splashscreen:1.0.0")
+    implementation("androidx.core:core-splashscreen:1.0.1")
    implementation("dnsjava:dnsjava:2.1.8")
 }
--- a/app/src/main/java/com/woodburn/hnsbrowser/WebActivity.java
+++ b/app/src/main/java/com/woodburn/hnsbrowser/WebActivity.java
@ -3,8 +3,8 @@ package com.woodburn.hnsbrowser;
 import androidx.appcompat.app.AppCompatActivity;
 import androidx.webkit.ProxyConfig;
 import androidx.webkit.ProxyController;
 import android.net.http.SslError;
 import android.os.AsyncTask;
 import android.os.Bundle;
 import android.webkit.HttpAuthHandler;
 import android.webkit.SslErrorHandler;
@ -12,19 +12,27 @@ import android.webkit.WebSettings;
 import android.webkit.WebView;
 import android.webkit.WebViewClient;
 import android.widget.Toast;
-
+import java.net.InetAddress;
 import java.security.MessageDigest;
 import java.security.cert.Certificate;
 import java.util.List;
 import java.util.concurrent.Executor;
 import android.net.DnsResolver;
 import org.xbill.DNS.*;
 public class WebActivity extends AppCompatActivity {
    boolean sslError = false;
    String url = "";
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_web);
        Bundle bundle = getIntent().getExtras();
-        String url = bundle.getString("url");
+        url = bundle.getString("url");
        // Validate
        if (url == null || url.isEmpty()) {
            // Display toast
@ -46,12 +54,77 @@ public class WebActivity extends AppCompatActivity {
            }
            @Override
            public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
                if (!sslError) {
                    Toast.makeText(WebActivity.this, "SSL error", Toast.LENGTH_SHORT).show();
                    Toast.makeText(WebActivity.this, "Make sure you have installed the SSL certificate", Toast.LENGTH_SHORT).show();
                }
                sslError = true;
                handler.proceed(); // Ignore SSL certificate errors
                new Thread(new Runnable() {
                    @Override
                    public void run() {
                        boolean validSSL = false;
                        try {
                            Certificate certificate = error.getCertificate().getX509Certificate();
                            byte[] publicKeyBytes = certificate.getPublicKey().getEncoded();
                            MessageDigest sha256Digest = MessageDigest.getInstance("SHA-256");
                            byte[] sha256Hash = sha256Digest.digest(publicKeyBytes);
                            // Print the hash in hexadecimal format
                            StringBuilder hexString = new StringBuilder();
                            for (byte b : sha256Hash) {
                                hexString.append(String.format("%02X", b));
                            }
                            // Get TLSA hash via DIG
                            String siteHash = hexString.toString();
                            String domain = url.replace("https://", "");
                            if (domain.contains("/")) {
                                domain = domain.substring(0, domain.indexOf("/"));
                            }
                            domain = "_443._tcp." + domain;
                            SimpleResolver resolver = new SimpleResolver("152.69.186.119");
                            Lookup lookup = new Lookup(domain, Type.TLSA);
                            lookup.setResolver(resolver);
                            Record[] records = lookup.run();
                            if (lookup.getResult() == Lookup.SUCCESSFUL) {
                                for (Record record : records) {
                                    if (record instanceof TLSARecord) {
                                        // Verify TLSA hash
                                        TLSARecord tlsaRecord = (TLSARecord) record;
                                        String tlsaHash = tlsaRecord.getCertificateAssociationData().toString().replace(" ", "");
                                        runOnUiThread(() -> {
                                            Toast.makeText(WebActivity.this, "TLSA: " + tlsaHash, Toast.LENGTH_SHORT).show();
                                            Toast.makeText(WebActivity.this, "SITE: " + siteHash, Toast.LENGTH_SHORT).show();
                                        });
                                        if (tlsaHash.equals(siteHash)) {
                                            validSSL = true;
                                        }
                                    }
                                }
                            } else
                            {
                                runOnUiThread(() -> {
                                    Toast.makeText(WebActivity.this, "TLSA Lookup Failed!", Toast.LENGTH_SHORT).show();
                                    Toast.makeText(WebActivity.this, lookup.getErrorString(), Toast.LENGTH_SHORT).show();
                                });
                            }
                        } catch (Exception e) {
                            runOnUiThread(() -> {
                                Toast.makeText(WebActivity.this, e.toString(), Toast.LENGTH_SHORT).show();
                            });
                        }
                        if (!validSSL) {
                            sslError = true;
                            runOnUiThread(() -> {
                                Toast.makeText(WebActivity.this, "SSL NOT VALID!", Toast.LENGTH_SHORT).show();
                            });
                        } else {
                            runOnUiThread(() -> {
                                Toast.makeText(WebActivity.this, "SSL VALID!", Toast.LENGTH_SHORT).show();
                            });
                        }
                    }
                }).start();
            }
        });
        setProxy();