search

apache / cordova-android

Apache Cordova Android
https://cordova.apache.org/
Apache License 2.0
3.67k stars 1.54k forks source link

Certificate validation failed with user's installed trusted CA certificates #1112

Closed afioletov closed 4 years ago

afioletov commented 4 years ago

Issue Type

Description

I manually installed CA certificate on device and browser works as expected with no warning about SSL certificate. But it does not happen in my Cordova app. I got exception about failed certificate validation when ajax request is executed.

Should app work with manually installed roots?

Information

Command or Code

Environment, Platform, Device

All Android devices. We tried Android 7 and 9.

It worked on iOS with manually installed profiles, but starting with 13.4 (or previous), but it stopped working too with new iOS updates.

Version information

    "cordova-android": "^9.0.0",
    "cordova-custom-config": "^5.1.0",
    "cordova-plugin-auth-dialog": "^0.1.6",
    "cordova-plugin-camera": "^4.1.0",
    "cordova-plugin-compat": "^1.2.0",
    "cordova-plugin-device": "^2.0.3",
    "cordova-plugin-emm-app-config": "^1.0.2",
    "cordova-plugin-file": "^6.0.2",
    "cordova-plugin-file-transfer": "^1.7.1",
    "cordova-plugin-infineatab": "https://479448df5207086fa68a60b812db8a61af4b955e@github.com/Korber-Supply-Chain-Product-Development/cordova-plugin-infineatab.git",
    "cordova-plugin-inappbrowser": "^3.2.0",
    "cordova-plugin-network-information": "^2.0.2",
    "cordova-plugin-statusbar": "^2.4.3",
    "cordova-plugin-whitelist": "^1.3.4",
    "cordova-plugin-zeep": "0.0.4"

Checklist

faugusztin commented 4 years ago

Certificates for your application needs to be configured using the network config file, documentation is at https://developer.android.com/training/articles/security-config

For your use case, you want to add a network_security_config.xml file to res/xml folder:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>  
      <base-config>  
            <trust-anchors>  
                <!-- Trust preinstalled CAs -->  
                <certificates src="system" />  
                <!-- Additionally trust user added CAs -->  
                <certificates src="user" />  
           </trust-anchors>  
      </base-config>  
 </network-security-config>

By default, apps trust only preinstalled CA's exclusively.

The change was introduced in API 24: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

afioletov commented 4 years ago

So it's Android thing, good to know.

Thank you, @faugusztin!

Is there anything similar in the latest iOS version?

timbru31 commented 4 years ago

You can trust custom certs on iOS, too, even root CA's and AFAIK it's "available/trusted" in every app (unless they do stuff like certificate pinning)

afioletov commented 4 years ago

It worked. Thank you!

iOS does not like a SSL certificates with long validity period anymore.

pjc2007 commented 2 years ago

Certificates for your application needs to be configured using the network config file, documentation is at https://developer.android.com/training/articles/security-config

For your use case, you want to add a network_security_config.xml file to res/xml folder:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>  
      <base-config>  
            <trust-anchors>  
                <!-- Trust preinstalled CAs -->  
                <certificates src="system" />  
                <!-- Additionally trust user added CAs -->  
                <certificates src="user" />  
           </trust-anchors>  
      </base-config>  
 </network-security-config>

By default, apps trust only preinstalled CA's exclusively.

The change was introduced in API 24: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default.

That looks like what I want to do. Can I get the Cordova build to do this for me?

dpogue commented 2 years ago

That looks like what I want to do. Can I get the Cordova build to do this for me?

Yes. Create a network_security_config.xml file somewhere, and add it to your config.xml as a resource-file to be copied into the Android platform, and then use edit-config to point the AndroidManifest to it:

<!-- in your config.xml file -->
<platform name="android">
  <resource-file src="path/to/network_security_config.xml" target="app/src/main/res/xml/network_security_config.xml" />

  <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
    <application android:networkSecurityConfig="@xml/network_security_config" />
  </edit-config>
</platform>
pjc2007 commented 2 years ago

That looks like what I want to do. Can I get the Cordova build to do this for me?

Yes. Create a network_security_config.xml file somewhere, and add it to your config.xml as a resource-file to be copied into the Android platform, and then use edit-config to point the AndroidManifest to it:

<!-- in your config.xml file -->
<platform name="android">
  <resource-file src="path/to/network_security_config.xml" target="app/src/main/res/xml/network_security_config.xml" />

  <edit-config file="app/src/main/AndroidManifest.xml" mode="merge" target="/manifest/application">
    <application android:networkSecurityConfig="@xml/network_security_config" />
  </edit-config>
</platform>

Perfect exactly what I was after. Thankyou!