search

OrlandoLabao43 / sandrob

Automatically exported from code.google.com/p/sandrob
2 stars 0 forks source link

Adding new CA (certificate authorities) as trusted #15

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
It would be convenient to add new certificate authorities as trusted 
so that alert pop-up would not appear if user import CA *.cer file

Do you like this idea or it is no matter to you?
I will implement it if there is any need for it.

Original issue reported on code.google.com by supp.san...@gmail.com on 4 May 2011 at 9:32

GoogleCodeExporter commented 8 years ago 
Hello, I think your idea is great and useful. But I have a question.
Where does this application refer as trusted CA?
"/system/etc/security/cacerts.bks" in android?

Original comment by sirugaii...@hotmail.co.jp on 19 May 2011 at 11:33

GoogleCodeExporter commented 8 years ago 
Yes,

It uses build-in function that checks with /system/etc/security/cacerts.bks
SSLParameters.getDefaultTrustManager().checkServerTrusted(         
newServerCertificates, "RSA");

But it also allow to connect to untrusted sites. 
For example self-signed server certificate. 
It this case pop-up appears so the user can examine server certificate.
And then have a choice to continue or cancel connection.

I would implement that even android says <not trusted>, user cacerts.bks is 
examined, and if it finds CA there, no pop-up will appear.

Original comment by supp.san...@gmail.com on 19 May 2011 at 6:57

GoogleCodeExporter commented 8 years ago 
Maybe I should put some warning that user should really 
check server certificate if pop-up appears...

If you don't use client certificate there can be 
SSL Man-in-the-Middle attack.

But if client certificate is used there can't be MiM. 
Because he can not make valid connection to real server. 
He can only fake server, but this is also security issue.

But this is common to all SSL application not just SandroB.

Original comment by supp.san...@gmail.com on 19 May 2011 at 7:39

GoogleCodeExporter commented 8 years ago

Original comment by supp.san...@gmail.com on 26 May 2011 at 5:25

GoogleCodeExporter commented 8 years ago

Original comment by supp.san...@gmail.com on 23 Jun 2011 at 8:17

GoogleCodeExporter commented 8 years ago

Original comment by supp.san...@gmail.com on 19 Jul 2011 at 7:21

GoogleCodeExporter commented 8 years ago 
Thank you for the answer.
Developping this idea, it is neccesary to add new ca to "cacerts.bks".
I want to know the way of adding new ca to "cacerts.bks" with not rooted 
android.

Original comment by sirugaii...@hotmail.co.jp on 24 Jul 2011 at 8:19

GoogleCodeExporter commented 8 years ago 
Probably this file is readonly for ordinary processes.
I think that phone manufactures like HTC, Motorola 
add some CA's before building ROM.

So SandroB would have to have additional bks file to handle new CA's.
Maybe I put wrong sentence in my previous comment.

There would be user_cacert.bks with new CA's, 
no changes will be in /system/etc/security/cacerts.bks

Original comment by supp.san...@gmail.com on 24 Jul 2011 at 8:37

GoogleCodeExporter commented 8 years ago 
Investigate how checking of CA chain works already in android.
Idea is to reuse existing android code as much as possible.

Original comment by supp.san...@gmail.com on 2 Aug 2011 at 4:17

GoogleCodeExporter commented 8 years ago 
I understood that making original new CA database enables SandroB to add new CA 
as trusted without cacerts.bks. Thank you.
By the way, I have another question about SandroB's CertificateLocalStore.
Is there the interface (for example,Intent) which other Android aplications add 
p12 files(client certificates) to SandroB's CertificateLocalStore in SandroB?
I want to know how to do that.

Original comment by sirugaii...@hotmail.co.jp on 28 Aug 2011 at 1:39

GoogleCodeExporter commented 8 years ago 
No, there is no way that other app add certificate to store.
There should be some user interaction for sake of security.

Also is disabled when intent for handling http/https happens on phone, SandroB 
will not be candidate for handling request.

Maybe this could be added back. 
So you can send Intent for https, 
SandroB will try to handle it and pupup for client certificate will appear.

Original comment by supp.san...@gmail.com on 28 Aug 2011 at 9:17

GoogleCodeExporter commented 8 years ago 
I DON"T KNOW WHERE ELSE TO POST A QUESTION ON USING CERTIFICATES WITH SANDROB 
SO I POST MY QUESTION HERE:
  My company requires use of a certificate (.p12 file) to get to company websites and I was able to install it into SandroB for Android 2.3.4 with the certificate installed in 'local store'. I deleted the certificate file on the phone for security since many apps ask for read/write priviledge on the sdcard.   However, the next time I wanted to use it, SandroB forgot it was already installed and would no longer work.  I reinstalled, things worked again, and then it again forgot everything a few days later. HOW CAN I MAKE SANDROB RETAIN THE CERTIFICATE INFORMATION IN LOCAL STORE, as it is a big pain to have to read in the location of the file all the time and give its password, especially when I don't think it is safe to leave the certificate file on the SDDISK.  
  Thank you very much for your help and please take into account I know very little about how these things are supposed to work; just that I need it to get to certain URL's.
-Jeff

Original comment by jeffwei...@gmail.com on 17 Jan 2012 at 7:09

GoogleCodeExporter commented 8 years ago 
For the comment above.
http://code.google.com/p/sandrob/issues/detail?id=55

Original comment by supp.san...@gmail.com on 17 Jan 2012 at 8:50