Adding new CA (certificate authorities) as trusted

[GoogleCodeExporter]

It would be convenient to add new certificate authorities as trusted 
so that alert pop-up would not appear if user import CA *.cer file

Do you like this idea or it is no matter to you?
I will implement it if there is any need for it.

Original issue reported on code.google.com by [email protected] on 4 May 2011 at 9:32

[GoogleCodeExporter]

Hello, I think your idea is great and useful. But I have a question.
Where does this application refer as trusted CA?
"/system/etc/security/cacerts.bks" in android?

Original comment by [email protected] on 19 May 2011 at 11:33

[GoogleCodeExporter]

Yes,

It uses build-in function that checks with /system/etc/security/cacerts.bks
SSLParameters.getDefaultTrustManager().checkServerTrusted(         
newServerCertificates, "RSA");

But it also allow to connect to untrusted sites. 
For example self-signed server certificate. 
It this case pop-up appears so the user can examine server certificate.
And then have a choice to continue or cancel connection.

I would implement that even android says <not trusted>, user cacerts.bks is 
examined, and if it finds CA there, no pop-up will appear.

Original comment by [email protected] on 19 May 2011 at 6:57

[GoogleCodeExporter]

Maybe I should put some warning that user should really 
check server certificate if pop-up appears...

If you don't use client certificate there can be 
SSL Man-in-the-Middle attack.

But if client certificate is used there can't be MiM. 
Because he can not make valid connection to real server. 
He can only fake server, but this is also security issue.

But this is common to all SSL application not just SandroB.

Original comment by [email protected] on 19 May 2011 at 7:39

[GoogleCodeExporter]

Original comment by [email protected] on 26 May 2011 at 5:25

• Changed state: Accepted
• Added labels: Milestone-Release1.0.2

[GoogleCodeExporter]

Original comment by [email protected] on 23 Jun 2011 at 8:17

• Added labels: Milestone-Release1.0.3
• Removed labels: Milestone-Release1.0.2

[GoogleCodeExporter]

Original comment by [email protected] on 19 Jul 2011 at 7:21

• Added labels: Milestone-Release1.0.4
• Removed labels: Milestone-Release1.0.3

[GoogleCodeExporter]

Thank you for the answer.
Developping this idea, it is neccesary to add new ca to "cacerts.bks".
I want to know the way of adding new ca to "cacerts.bks" with not rooted 
android.

Original comment by [email protected] on 24 Jul 2011 at 8:19

[GoogleCodeExporter]

Probably this file is readonly for ordinary processes.
I think that phone manufactures like HTC, Motorola 
add some CA's before building ROM.

So SandroB would have to have additional bks file to handle new CA's.
Maybe I put wrong sentence in my previous comment.

There would be user_cacert.bks with new CA's, 
no changes will be in /system/etc/security/cacerts.bks

Original comment by [email protected] on 24 Jul 2011 at 8:37

[GoogleCodeExporter]

Investigate how checking of CA chain works already in android.
Idea is to reuse existing android code as much as possible.

Original comment by [email protected] on 2 Aug 2011 at 4:17

• Changed state: Started

[GoogleCodeExporter]

I understood that making original new CA database enables SandroB to add new CA 
as trusted without cacerts.bks. Thank you.
By the way, I have another question about SandroB's CertificateLocalStore.
Is there the interface (for example,Intent) which other Android aplications add 
p12 files(client certificates) to SandroB's CertificateLocalStore in SandroB?
I want to know how to do that.

Original comment by [email protected] on 28 Aug 2011 at 1:39

[GoogleCodeExporter]

No, there is no way that other app add certificate to store.
There should be some user interaction for sake of security.

Also is disabled when intent for handling http/https happens on phone, SandroB 
will not be candidate for handling request.

Maybe this could be added back. 
So you can send Intent for https, 
SandroB will try to handle it and pupup for client certificate will appear.

Original comment by [email protected] on 28 Aug 2011 at 9:17

[GoogleCodeExporter]

I DON"T KNOW WHERE ELSE TO POST A QUESTION ON USING CERTIFICATES WITH SANDROB 
SO I POST MY QUESTION HERE:
  My company requires use of a certificate (.p12 file) to get to company websites and I was able to install it into SandroB for Android 2.3.4 with the certificate installed in 'local store'. I deleted the certificate file on the phone for security since many apps ask for read/write priviledge on the sdcard.   However, the next time I wanted to use it, SandroB forgot it was already installed and would no longer work.  I reinstalled, things worked again, and then it again forgot everything a few days later. HOW CAN I MAKE SANDROB RETAIN THE CERTIFICATE INFORMATION IN LOCAL STORE, as it is a big pain to have to read in the location of the file all the time and give its password, especially when I don't think it is safe to leave the certificate file on the SDDISK.  
  Thank you very much for your help and please take into account I know very little about how these things are supposed to work; just that I need it to get to certain URL's.
-Jeff

Original comment by [email protected] on 17 Jan 2012 at 7:09

[GoogleCodeExporter]

For the comment above.
http://code.google.com/p/sandrob/issues/detail?id=55

Original comment by [email protected] on 17 Jan 2012 at 8:50