aboutsummaryrefslogtreecommitdiffstats
path: root/OpenKeychain/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'OpenKeychain/src/main')
-rw-r--r--OpenKeychain/src/main/assets/sks-keyservers.netCA.cer32
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/Constants.java4
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java8
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/Preferences.java18
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/TlsHelper.java129
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/HkpKeyserver.java143
-rw-r--r--OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyShareFragment.java6
-rw-r--r--OpenKeychain/src/main/res/raw/help_faq.html8
8 files changed, 257 insertions, 91 deletions
diff --git a/OpenKeychain/src/main/assets/sks-keyservers.netCA.cer b/OpenKeychain/src/main/assets/sks-keyservers.netCA.cer
new file mode 100644
index 000000000..24a2ad2e8
--- /dev/null
+++ b/OpenKeychain/src/main/assets/sks-keyservers.netCA.cer
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFizCCA3OgAwIBAgIJAK9zyLTPn4CPMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAk5PMQ0wCwYDVQQIDARPc2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5u
+ZXQgQ0ExHjAcBgNVBAMMFXNrcy1rZXlzZXJ2ZXJzLm5ldCBDQTAeFw0xMjEwMDkw
+MDMzMzdaFw0yMjEwMDcwMDMzMzdaMFwxCzAJBgNVBAYTAk5PMQ0wCwYDVQQIDARP
+c2xvMR4wHAYDVQQKDBVza3Mta2V5c2VydmVycy5uZXQgQ0ExHjAcBgNVBAMMFXNr
+cy1rZXlzZXJ2ZXJzLm5ldCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBANdsWy4PXWNUCkS3L//nrd0GqN3dVwoBGZ6w94Tw2jPDPifegwxQozFXkG6I
+6A4TK1CJLXPvfz0UP0aBYyPmTNadDinaB9T4jIwd4rnxl+59GiEmqkN3IfPsv5Jj
+MkKUmJnvOT0DEVlEaO1UZIwx5WpfprB3mR81/qm4XkAgmYrmgnLXd/pJDAMk7y1F
+45b5zWofiD5l677lplcIPRbFhpJ6kDTODXh/XEdtF71EAeaOdEGOvyGDmCO0GWqS
+FDkMMPTlieLA/0rgFTcz4xwUYj/cD5e0ZBuSkYsYFAU3hd1cGfBue0cPZaQH2HYx
+Qk4zXD8S3F4690fRhr+tki5gyG6JDR67aKp3BIGLqm7f45WkX1hYp+YXywmEziM4
+aSbGYhx8hoFGfq9UcfPEvp2aoc8u5sdqjDslhyUzM1v3m3ZGbhwEOnVjljY6JJLx
+MxagxnZZSAY424ZZ3t71E/Mn27dm2w+xFRuoy8JEjv1d+BT3eChM5KaNwrj0IO/y
+u8kFIgWYA1vZ/15qMT+tyJTfyrNVV/7Df7TNeWyNqjJ5rBmt0M6NpHG7CrUSkBy9
+p8JhimgjP5r0FlEkgg+lyD+V79H98gQfVgP3pbJICz0SpBQf2F/2tyS4rLm+49rP
+fcOajiXEuyhpcmzgusAj/1FjrtlynH1r9mnNaX4e+rLWzvU5AgMBAAGjUDBOMB0G
+A1UdDgQWBBTkwyoJFGfYTVISTpM8E+igjdq28zAfBgNVHSMEGDAWgBTkwyoJFGfY
+TVISTpM8E+igjdq28zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQAR
+OXnYwu3g1ZjHyley3fZI5aLPsaE17cOImVTehC8DcIphm2HOMR/hYTTL+V0G4P+u
+gH+6xeRLKSHMHZTtSBIa6GDL03434y9CBuwGvAFCMU2GV8w92/Z7apkAhdLToZA/
+X/iWP2jeaVJhxgEcH8uPrnSlqoPBcKC9PrgUzQYfSZJkLmB+3jEa3HKruy1abJP5
+gAdQvwvcPpvYRnIzUc9fZODsVmlHVFBCl2dlu/iHh2h4GmL4Da2rRkUMlbVTdioB
+UYIvMycdOkpH5wJftzw7cpjsudGas0PARDXCFfGyKhwBRFY7Xp7lbjtU5Rz0Gc04
+lPrhDf0pFE98Aw4jJRpFeWMjpXUEaG1cq7D641RpgcMfPFvOHY47rvDTS7XJOaUT
+BwRjmDt896s6vMDcaG/uXJbQjuzmmx3W2Idyh3s5SI0GTHb0IwMKYb4eBUIpQOnB
+cE77VnCYqKvN1NVYAqhWjXbY7XasZvszCRcOG+W3FqNaHOK/n/0ueb0uijdLan+U
+f4p1bjbAox8eAOQS/8a3bzkJzdyBNUKGx1BIK2IBL9bn/HravSDOiNRSnZ/R3l9G
+ZauX0tu7IIDlRCILXSyeazu0aj/vdT3YFQXPcvt5Fkf5wiNTo53f72/jYEJd6qph
+WrpoKqrwGwTpRUCMhYIUt65hsTxCiJJ5nKe39h46sg==
+-----END CERTIFICATE-----
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/Constants.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/Constants.java
index 319ac2873..e1bf1afa4 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/Constants.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/Constants.java
@@ -67,10 +67,12 @@ public final class Constants {
public static final String LANGUAGE = "language";
public static final String FORCE_V3_SIGNATURES = "forceV3Signatures";
public static final String KEY_SERVERS = "keyServers";
+ public static final String KEY_SERVERS_DEFAULT_VERSION = "keyServersDefaultVersion";
}
public static final class Defaults {
- public static final String KEY_SERVERS = "pool.sks-keyservers.net, subkeys.pgp.net, pgp.mit.edu";
+ public static final String KEY_SERVERS = "hkps://hkps.pool.sks-keyservers.net, subkeys.pgp.net, hkps://pgp.mit.edu";
+ public static final int KEY_SERVERS_VERSION = 2;
}
public static final class DrawerItems {
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
index 5d6a62f9c..dfd39b345 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/KeychainApplication.java
@@ -26,7 +26,8 @@ import android.graphics.drawable.Drawable;
import android.os.Environment;
import org.spongycastle.jce.provider.BouncyCastleProvider;
-import org.sufficientlysecure.keychain.helper.ContactHelper;
+import org.sufficientlysecure.keychain.helper.Preferences;
+import org.sufficientlysecure.keychain.helper.TlsHelper;
import org.sufficientlysecure.keychain.util.Log;
import org.sufficientlysecure.keychain.util.PRNGFixes;
@@ -81,6 +82,11 @@ public class KeychainApplication extends Application {
getApplicationContext().getResources().getColor(R.color.emphasis));
setupAccountAsNeeded(this);
+
+ // Update keyserver list as needed
+ Preferences.getPreferences(this).updateKeyServers();
+
+ TlsHelper.addStaticCA("pool.sks-keyservers.net", getAssets(), "sks-keyservers.netCA.cer");
}
public static void setupAccountAsNeeded(Context context) {
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/Preferences.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/Preferences.java
index c82c5e115..6f3d38ccd 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/Preferences.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/Preferences.java
@@ -169,4 +169,22 @@ public class Preferences {
editor.putString(Constants.Pref.KEY_SERVERS, rawData);
editor.commit();
}
+
+ public void updateKeyServers() {
+ if (mSharedPreferences.getInt(Constants.Pref.KEY_SERVERS_DEFAULT_VERSION, 0) !=
+ Constants.Defaults.KEY_SERVERS_VERSION) {
+ String[] servers = getKeyServers();
+ for (int i = 0; i < servers.length; i++) {
+ if (servers[i].equals("pool.sks-keyservers.net")) {
+ servers[i] = "hkps://hkps.pool.sks-keyservers.net";
+ } else if (servers[i].equals("pgp.mit.edu")) {
+ servers[i] = "hkps://pgp.mit.edu";
+ }
+ }
+ setKeyServers(servers);
+ mSharedPreferences.edit()
+ .putInt(Constants.Pref.KEY_SERVERS_DEFAULT_VERSION, Constants.Defaults.KEY_SERVERS_VERSION)
+ .commit();
+ }
+ }
}
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/TlsHelper.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/TlsHelper.java
new file mode 100644
index 000000000..4b09af04d
--- /dev/null
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/helper/TlsHelper.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2013-2014 Dominik Schürmann <dominik@dominikschuermann.de>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.helper;
+
+import android.content.res.AssetManager;
+import org.sufficientlysecure.keychain.Constants;
+import org.sufficientlysecure.keychain.util.Log;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.net.URLConnection;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.*;
+import java.util.HashMap;
+import java.util.Map;
+
+public class TlsHelper {
+
+ public static class TlsHelperException extends Exception {
+ public TlsHelperException(Exception e) {
+ super(e);
+ }
+ }
+
+ private static Map<String, byte[]> sStaticCA = new HashMap<String, byte[]>();
+
+ public static void addStaticCA(String domain, byte[] certificate) {
+ sStaticCA.put(domain, certificate);
+ }
+
+ public static void addStaticCA(String domain, AssetManager assetManager, String name) {
+ try {
+ InputStream is = assetManager.open(name);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ int reads = is.read();
+
+ while(reads != -1){
+ baos.write(reads);
+ reads = is.read();
+ }
+
+ is.close();
+
+ addStaticCA(domain, baos.toByteArray());
+ } catch (IOException e) {
+ Log.w(Constants.TAG, e);
+ }
+ }
+
+ public static URLConnection openConnection(URL url) throws IOException, TlsHelperException {
+ if (url.getProtocol().equals("https")) {
+ for (String domain : sStaticCA.keySet()) {
+ if (url.getHost().endsWith(domain)) {
+ return openCAConnection(sStaticCA.get(domain), url);
+ }
+ }
+ }
+ return url.openConnection();
+ }
+
+ /**
+ * Opens a Connection that will only accept certificates signed with a specific CA and skips common name check.
+ * This is required for some distributed Keyserver networks like sks-keyservers.net
+ *
+ * @param certificate The X.509 certificate used to sign the servers certificate
+ * @param url Connection target
+ */
+ public static HttpsURLConnection openCAConnection(byte[] certificate, URL url)
+ throws TlsHelperException, IOException {
+ try {
+ // Load CA
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ Certificate ca = cf.generateCertificate(new ByteArrayInputStream(certificate));
+
+ // Create a KeyStore containing our trusted CAs
+ String keyStoreType = KeyStore.getDefaultType();
+ KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+ keyStore.load(null, null);
+ keyStore.setCertificateEntry("ca", ca);
+
+ // Create a TrustManager that trusts the CAs in our KeyStore
+ String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
+ tmf.init(keyStore);
+
+ // Create an SSLContext that uses our TrustManager
+ SSLContext context = SSLContext.getInstance("TLS");
+ context.init(null, tmf.getTrustManagers(), null);
+
+ // Tell the URLConnection to use a SocketFactory from our SSLContext
+ HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
+ urlConnection.setSSLSocketFactory(context.getSocketFactory());
+
+ return urlConnection;
+ } catch (CertificateException e) {
+ throw new TlsHelperException(e);
+ } catch (NoSuchAlgorithmException e) {
+ throw new TlsHelperException(e);
+ } catch (KeyStoreException e) {
+ throw new TlsHelperException(e);
+ } catch (KeyManagementException e) {
+ throw new TlsHelperException(e);
+ }
+ }
+}
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/HkpKeyserver.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/HkpKeyserver.java
index e49085a0e..44679ba18 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/HkpKeyserver.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/keyimport/HkpKeyserver.java
@@ -22,37 +22,23 @@ import de.measite.minidns.Client;
import de.measite.minidns.Question;
import de.measite.minidns.Record;
import de.measite.minidns.record.SRV;
-import org.apache.http.HttpEntity;
-import org.apache.http.HttpResponse;
-import org.apache.http.HttpStatus;
-import org.apache.http.NameValuePair;
-import org.apache.http.client.HttpClient;
-import org.apache.http.client.entity.UrlEncodedFormEntity;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.impl.client.DefaultHttpClient;
-import org.apache.http.message.BasicNameValuePair;
-import org.apache.http.util.EntityUtils;
import org.sufficientlysecure.keychain.Constants;
+import org.sufficientlysecure.keychain.helper.TlsHelper;
import org.sufficientlysecure.keychain.pgp.PgpHelper;
import org.sufficientlysecure.keychain.pgp.PgpKeyHelper;
import org.sufficientlysecure.keychain.util.Log;
+import java.io.DataOutputStream;
import java.io.IOException;
-import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
-import java.net.InetAddress;
-import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
-import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Comparator;
import java.util.GregorianCalendar;
-import java.util.List;
import java.util.Locale;
import java.util.TimeZone;
import java.util.regex.Matcher;
@@ -200,48 +186,37 @@ public class HkpKeyserver extends Keyserver {
return mSecure ? "https://" : "http://";
}
- private String query(String request) throws QueryFailedException, HttpError {
- List<String> urls = new ArrayList<String>();
- if (mSecure) {
- urls.add(getUrlPrefix() + mHost + ":" + mPort + request);
- } else {
- InetAddress ips[];
- try {
- ips = InetAddress.getAllByName(mHost);
- } catch (UnknownHostException e) {
- throw new QueryFailedException(e.toString());
- }
- for (InetAddress ip : ips) {
- // Note: This is actually not HTTP 1.1 compliant, as we hide the real "Host" value,
- // but Android's HTTPUrlConnection does not support any other way to set
- // Socket's remote IP address...
- urls.add(getUrlPrefix() + ip.getHostAddress() + ":" + mPort + request);
- }
+ private HttpURLConnection openConnection(URL url) throws IOException {
+ HttpURLConnection conn = null;
+ try {
+ conn = (HttpURLConnection) TlsHelper.openConnection(url);
+ } catch (TlsHelper.TlsHelperException e) {
+ Log.w(Constants.TAG, e);
+ }
+ if (conn == null) {
+ conn = (HttpURLConnection) url.openConnection();
}
+ conn.setConnectTimeout(5000);
+ conn.setReadTimeout(25000);
+ return conn;
+ }
- for (String url : urls) {
- try {
- Log.d(Constants.TAG, "hkp keyserver query: " + url);
- URL realUrl = new URL(url);
- HttpURLConnection conn = (HttpURLConnection) realUrl.openConnection();
- conn.setConnectTimeout(5000);
- conn.setReadTimeout(25000);
- conn.connect();
- int response = conn.getResponseCode();
- if (response >= 200 && response < 300) {
- return readAll(conn.getInputStream(), conn.getContentEncoding());
- } else {
- String data = readAll(conn.getErrorStream(), conn.getContentEncoding());
- throw new HttpError(response, data);
- }
- } catch (MalformedURLException e) {
- // nothing to do, try next IP
- } catch (IOException e) {
- // nothing to do, try next IP
+ private String query(String request) throws QueryFailedException, HttpError {
+ try {
+ URL url = new URL(getUrlPrefix() + mHost + ":" + mPort + request);
+ Log.d(Constants.TAG, "hkp keyserver query: " + url);
+ HttpURLConnection conn = openConnection(url);
+ conn.connect();
+ int response = conn.getResponseCode();
+ if (response >= 200 && response < 300) {
+ return readAll(conn.getInputStream(), conn.getContentEncoding());
+ } else {
+ String data = readAll(conn.getErrorStream(), conn.getContentEncoding());
+ throw new HttpError(response, data);
}
+ } catch (IOException e) {
+ throw new QueryFailedException("querying server(s) for '" + mHost + "' failed");
}
-
- throw new QueryFailedException("querying server(s) for '" + mHost + "' failed");
}
@Override
@@ -341,52 +316,44 @@ public class HkpKeyserver extends Keyserver {
@Override
public String get(String keyIdHex) throws QueryFailedException {
- HttpClient client = new DefaultHttpClient();
+ String request = "/pks/lookup?op=get&options=mr&search=" + keyIdHex;
+ Log.d(Constants.TAG, "hkp keyserver get: " + request);
+ String data;
try {
- String query = getUrlPrefix() + mHost + ":" + mPort +
- "/pks/lookup?op=get&options=mr&search=" + keyIdHex;
- Log.d(Constants.TAG, "hkp keyserver get: " + query);
- HttpGet get = new HttpGet(query);
- HttpResponse response = client.execute(get);
- if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK) {
- throw new QueryFailedException("not found");
- }
-
- HttpEntity entity = response.getEntity();
- InputStream is = entity.getContent();
- String data = readAll(is, EntityUtils.getContentCharSet(entity));
- Matcher matcher = PgpHelper.PGP_PUBLIC_KEY.matcher(data);
- if (matcher.find()) {
- return matcher.group(1);
- }
- } catch (IOException e) {
- // nothing to do, better luck on the next keyserver
- } finally {
- client.getConnectionManager().shutdown();
+ data = query(request);
+ } catch (HttpError httpError) {
+ throw new QueryFailedException("not found");
+ }
+ Matcher matcher = PgpHelper.PGP_PUBLIC_KEY.matcher(data);
+ if (matcher.find()) {
+ return matcher.group(1);
}
-
return null;
}
@Override
public void add(String armoredKey) throws AddKeyException {
- HttpClient client = new DefaultHttpClient();
try {
String query = getUrlPrefix() + mHost + ":" + mPort + "/pks/add";
- HttpPost post = new HttpPost(query);
- Log.d(Constants.TAG, "hkp keyserver add: " + query);
- List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(2);
- nameValuePairs.add(new BasicNameValuePair("keytext", armoredKey));
- post.setEntity(new UrlEncodedFormEntity(nameValuePairs));
-
- HttpResponse response = client.execute(post);
- if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK) {
+ String params;
+ try {
+ params = "keytext=" + URLEncoder.encode(armoredKey, "utf8");
+ } catch (UnsupportedEncodingException e) {
throw new AddKeyException();
}
+ Log.d(Constants.TAG, "hkp keyserver add: " + query);
+
+ HttpURLConnection connection = openConnection(new URL(query));
+ connection.setRequestMethod("POST");
+ connection.addRequestProperty("Content-Type", "application/x-www-form-urlencoded");
+ connection.setRequestProperty("Content-Length", Integer.toString(params.getBytes().length));
+ connection.setDoOutput(true);
+ DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
+ wr.writeBytes(params);
+ wr.flush();
+ wr.close();
} catch (IOException e) {
- // nothing to do, better luck on the next keyserver
- } finally {
- client.getConnectionManager().shutdown();
+ throw new AddKeyException();
}
}
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyShareFragment.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyShareFragment.java
index eccd2a5e5..52b573f47 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyShareFragment.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/ViewKeyShareFragment.java
@@ -152,7 +152,11 @@ public class ViewKeyShareFragment extends LoaderFragment implements
KeyRings.buildUnifiedKeyRingUri(dataUri),
Keys.FINGERPRINT, ProviderHelper.FIELD_TYPE_BLOB);
String fingerprint = PgpKeyHelper.convertFingerprintToHex(data);
- content = Constants.FINGERPRINT_SCHEME + ":" + fingerprint;
+ if(!toClipboard){
+ content = Constants.FINGERPRINT_SCHEME + ":" + fingerprint;
+ } else {
+ content = fingerprint;
+ }
} else {
// get public keyring as ascii armored string
Uri uri = KeychainContract.KeyRingData.buildPublicKeyRingUri(dataUri);
diff --git a/OpenKeychain/src/main/res/raw/help_faq.html b/OpenKeychain/src/main/res/raw/help_faq.html
index e6757d0da..6f8763f36 100644
--- a/OpenKeychain/src/main/res/raw/help_faq.html
+++ b/OpenKeychain/src/main/res/raw/help_faq.html
@@ -12,5 +12,13 @@ And don't add newlines before or after p tags because of transifex -->
<h2>A wrong primary user id is shown when searching on a Keyserver</h2>
<p>Unfortunately, this is a bug in the SKS Keyserver software. Its machine-readable output returns the user ids in an arbitrary order. Read the <a href="https://bitbucket.org/skskeyserver/sks-keyserver/issue/28/primary-uid-in-machine-readable-index">related bug report</a> for more information.</p>
+<h2>How do I activate OpenKeychain in K9-Mail?</h2>
+<p>To use OpenKeychain with K9-Mail, you want to follow these steps:</p>
+<ol>
+ <li>Open K9-Mail and long-tap on the account you want to use OpenKeychain with.</li>
+ <li>Select "Account settings" and scroll to the very bottom and click "Cryptography".</li>
+ <li>Click on "OpenPGP Provider" and select OpenKeychain from the list.</li>
+</ol>
+<p>Thats it.</p>
</body>
</html>