New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the user certificates as additional certificates to the ClientBuilder #2392
Add the user certificates as additional certificates to the ClientBuilder #2392
Conversation
Thank you for your contribution! Here are a few things to check in the PR to ensure it's reviewed as quickly as possible:
|
615883e
to
d424675
Compare
…lder Now, this is a story all about how Certificates work in Android town And I'd like to take a minute Enter, close the door I'll tell you how I've figured out the inner workings of the Keystore Well it all boils down the fact that Google got scared It said, "You're certs are movin' to a place you won't find". So the directory, user certificates are stored, is hard to find, and possibly not readable by your application[1]. Instead, we need to use the Keystore[2] API, specifically we'll need to open the `AndroidCAStore` Keystore type. The various Keystore types are supposedly documented[3], but I'm failing to find a logical path that would lead you to conclude that: a) System certificates can or should be accessed using the Keystore, specifically the AndroidCAStore type b) User certificates can be found in the same Keystore type as the system certificates So this was mostly found using random googling, swearing, and a couple of educated guesses. [1]: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html [2]: https://developer.android.com/reference/java/security/KeyStore [3]: https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html#keystore-types
d424675
to
e9d3bfd
Compare
What do I need to do to get this merged/reviewed? The CI failures seem to be caused by the fact that I created the PR from a fork and a random 500 error codecov threw. In other words, the CI failures are unrelated to the changes I made. |
I tried to test this, but I can't get anything in mitmproxy, probably because the OkHttp request we do to |
...rix/impl/src/main/kotlin/io/element/android/libraries/matrix/impl/RustMatrixClientFactory.kt
Show resolved
Hide resolved
Thanks @poljar, I will merge the PR in a branch I own to be able to add more commit. This will then be reviewed as a regular PR. |
1751920
into
element-hq:feature/bma/userCertificates
I think that this is due to mitmproxy --mode reverse:https://matrix.org --listen-port 8010 Just note that once well-known has been handled, after logging in, the reverse proxy won't be used by the Client anymore. |
I can confirm it works as expected when using |
Now, this is a story all about how
Certificates work in Android town
And I'd like to take a minute
Enter, close the door
I'll tell you how I've figured out the inner workings of the Keystore
Well it all boils down to the fact that Google got scared
It said, "Your certs are movin' to a place you'll never find 'em".
So the directory, user certificates are stored, is hard to find, and possibly not readable by your application[1]. Instead, we need to use the Keystore[2] API, specifically we'll need to open the
AndroidCAStore
Keystore type.The various Keystore types are supposedly documented[3], but I'm failing to find a logical path that would lead you to conclude that:
AndroidCAStore
typeSo this was mostly found using random googling, swearing, and a couple of educated guesses.
Type of change
Content
The Rust SDK, if configured to use the
rustls
crate for SSL reads the system certificates using theopenssl-probe
crate. Theopenssl-probe
crate reads the certificates from some predefined directory. This directory doesn't contain any additional certificates the user installed on the device.Like previously mentioned, user-installed certificates should™ be gathered via the
Keystore
API and that one might not be available from Rust land. We can't easily modify theopenssl-probe
to use theKeystore
API so here we are doing it the dumb way. We load the certs from the Kotlin side and push them to the Rust side.It would probably be nice to write a test for the method that gathers the certificates, but I have no idea how to do this.
This PR requires: matrix-org/matrix-rust-sdk#3126
Motivation and context
Sorry, no motivation was found. Somebody told me to do this.
Screenshots / GIFs
mitmproxy.webm
Tests
mitmproxy
,mitmproxy
does this automatically when it starts up the first time.mitmproxy
certificate to the emulated device usingadb push mitmproxy-ca-cert.cer /data/local
mitmproxy
in reverse proxy modemitmproxy --mode reverse:http://localhost:8008 -k --listen-port 8010
adb reverse tcp:8010 tcp:8010
mitmproxy
reverse proxy usinghttps://localhost:8010
as the homeserver addressTested devices
Android 14.0 ("UpsideDownCake") | x86_64 | API 34
Checklist