AdguardTeam / adguardcert

Magisk module that allows using AdGuard's HTTPS filtering for all apps
https://adguard.com/
MIT License
334 stars 21 forks source link

Question: Why cross-signing the user-cert ? #44

Closed powellnorma closed 1 year ago

powellnorma commented 1 year ago

In the Readme it says:

The certificate that is left in the user store is cross-signed with the one that goes into the system store. This allows apps that don't trust user certificates to still accept AdGuard's certificate, while apps that do trust user certificates (like Chrome or other browsers) will construct a shorter validation path to the certificate stored in the user store.

But afaik not cross-signing the CA would work as well, because by definition a "trusted CA" is a "trusted root" (of a validation chain), or isn't it? Does it have any other advantages to do this cross signing? Thank you!

sfionov commented 1 year ago

@powellnorma We simply implemented the first scheme that worked without Zygisk.

Signing in different order (User CA -> System CA -> Leaf) might also work. But since module is very simple, we need to decide which of this two CAs is moved to system store. We decided to move the same cert which was touched in previous versions (Adguard Personal CA).

powellnorma commented 1 year ago

Ok, but what about this? System CA -> Leaf User CA -> Leaf

Or have you not tested this? I think it should work?

sfionov commented 1 year ago

"System CA" and "User CA" is required to be be different certs.

That needs to use two certificate caches, and info about which applications sees user certs, and which does not. That requires scanning of application manifests. A lot of unnecessary work should be done.

Two-cert scheme with intermediate cert installed into user store does not require it.