Open GoogleCodeExporter opened 8 years ago
Hello, I think your idea is great and useful. But I have a question.
Where does this application refer as trusted CA?
"/system/etc/security/cacerts.bks" in android?
Original comment by sirugaii...@hotmail.co.jp
on 19 May 2011 at 11:33
Yes,
It uses build-in function that checks with /system/etc/security/cacerts.bks
SSLParameters.getDefaultTrustManager().checkServerTrusted(
newServerCertificates, "RSA");
But it also allow to connect to untrusted sites.
For example self-signed server certificate.
It this case pop-up appears so the user can examine server certificate.
And then have a choice to continue or cancel connection.
I would implement that even android says <not trusted>, user cacerts.bks is
examined, and if it finds CA there, no pop-up will appear.
Original comment by supp.san...@gmail.com
on 19 May 2011 at 6:57
Maybe I should put some warning that user should really
check server certificate if pop-up appears...
If you don't use client certificate there can be
SSL Man-in-the-Middle attack.
But if client certificate is used there can't be MiM.
Because he can not make valid connection to real server.
He can only fake server, but this is also security issue.
But this is common to all SSL application not just SandroB.
Original comment by supp.san...@gmail.com
on 19 May 2011 at 7:39
Original comment by supp.san...@gmail.com
on 26 May 2011 at 5:25
Original comment by supp.san...@gmail.com
on 23 Jun 2011 at 8:17
Original comment by supp.san...@gmail.com
on 19 Jul 2011 at 7:21
Thank you for the answer.
Developping this idea, it is neccesary to add new ca to "cacerts.bks".
I want to know the way of adding new ca to "cacerts.bks" with not rooted
android.
Original comment by sirugaii...@hotmail.co.jp
on 24 Jul 2011 at 8:19
Probably this file is readonly for ordinary processes.
I think that phone manufactures like HTC, Motorola
add some CA's before building ROM.
So SandroB would have to have additional bks file to handle new CA's.
Maybe I put wrong sentence in my previous comment.
There would be user_cacert.bks with new CA's,
no changes will be in /system/etc/security/cacerts.bks
Original comment by supp.san...@gmail.com
on 24 Jul 2011 at 8:37
Investigate how checking of CA chain works already in android.
Idea is to reuse existing android code as much as possible.
Original comment by supp.san...@gmail.com
on 2 Aug 2011 at 4:17
I understood that making original new CA database enables SandroB to add new CA
as trusted without cacerts.bks. Thank you.
By the way, I have another question about SandroB's CertificateLocalStore.
Is there the interface (for example,Intent) which other Android aplications add
p12 files(client certificates) to SandroB's CertificateLocalStore in SandroB?
I want to know how to do that.
Original comment by sirugaii...@hotmail.co.jp
on 28 Aug 2011 at 1:39
No, there is no way that other app add certificate to store.
There should be some user interaction for sake of security.
Also is disabled when intent for handling http/https happens on phone, SandroB
will not be candidate for handling request.
Maybe this could be added back.
So you can send Intent for https,
SandroB will try to handle it and pupup for client certificate will appear.
Original comment by supp.san...@gmail.com
on 28 Aug 2011 at 9:17
I DON"T KNOW WHERE ELSE TO POST A QUESTION ON USING CERTIFICATES WITH SANDROB
SO I POST MY QUESTION HERE:
My company requires use of a certificate (.p12 file) to get to company websites and I was able to install it into SandroB for Android 2.3.4 with the certificate installed in 'local store'. I deleted the certificate file on the phone for security since many apps ask for read/write priviledge on the sdcard. However, the next time I wanted to use it, SandroB forgot it was already installed and would no longer work. I reinstalled, things worked again, and then it again forgot everything a few days later. HOW CAN I MAKE SANDROB RETAIN THE CERTIFICATE INFORMATION IN LOCAL STORE, as it is a big pain to have to read in the location of the file all the time and give its password, especially when I don't think it is safe to leave the certificate file on the SDDISK.
Thank you very much for your help and please take into account I know very little about how these things are supposed to work; just that I need it to get to certain URL's.
-Jeff
Original comment by jeffwei...@gmail.com
on 17 Jan 2012 at 7:09
For the comment above.
http://code.google.com/p/sandrob/issues/detail?id=55
Original comment by supp.san...@gmail.com
on 17 Jan 2012 at 8:50
Original issue reported on code.google.com by
supp.san...@gmail.com
on 4 May 2011 at 9:32