OpenRedmine icon indicating copy to clipboard operation
OpenRedmine copied to clipboard

Published 20 hours ago verified publisher icon indication

No error displayed if certificate error

Open kmorinCL opened this issue 11 years ago • 2 comments
trafficstars

I tried to connect to a redmine instance which had certificate issue. No error was displayed, I just had an empty project list. I had to check the logs to understand what was wrong. There should be a dialog to inform me there is an error.

kmorinCL avatar Mar 26 '14 08:03 kmorinCL

Thank you for reporting. We specify what is error or not. -- this is todo.

We found this issue 1 years ago, but there is another problem. The error shows following cases when use jp.redmine.redmineclient.activity.helper.ActivityHelper.toastRemoteError .

  • Project list or other masters would be fetched but User list can not fetch by permission
  • On v1.x, enumerations are not supported

indication avatar Mar 28 '14 03:03 indication

+1 This is a security issue. http://www.kb.cert.org/vuls/id/582497

In this app, allow to generate empty TrustManager which android fail to properly validate SSL certificates.

For more detail: https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=134807561

Example from AndroidSecureCoding (PDF)

KeyStore ks = KeyStoreUtil.getEmptyKeyStore();
KeyStoreUtil.loadX509Certificate(ks,mContext.getResources().getAssets().open("cacert.crt"));
Scheme sch = new Scheme("https", new SSLSocketFactory(ks), 443);
client.getConnectionManager().getSchemeRegistry().register(sch);

package org.jssec.android.https.privatecertificate;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
public class KeyStoreUtil {
    public static KeyStore getEmptyKeyStore() throws KeyStoreException,
    NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore ks = KeyStore.getInstance("BKS");
        ks.load(null);
        return ks;
    }
    public static void loadAndroidCAStore(KeyStore ks)
    throws KeyStoreException, NoSuchAlgorithmException,
    CertificateException, IOException {
        KeyStore aks = KeyStore.getInstance("AndroidCAStore");
        aks.load(null);
        Enumeration<String> aliases = aks.aliases();
        while (aliases.hasMoreElements()) {
            String alias = aliases.nextElement();
            Certificate cert = aks.getCertificate(alias);
            ks.setCertificateEntry(alias, cert);
        }
    }
    public static void loadX509Certificate(KeyStore ks, InputStream is)
    throws CertificateException, KeyStoreException {
        try {
            CertificateFactory factory = CertificateFactory.getInstance("X509");
            X509Certificate x509 = (X509Certificate)factory.generateCertificate(is);
            String alias = x509.getSubjectDN().getName();
            ks.setCertificateEntry(alias, x509);
        } finally {
            try { is.close(); } catch (IOException e) { }
        }
    }
}

indication avatar Sep 26 '14 16:09 indication