[security] [SSL] Client Cert and Cert Passwords get stored unencrypted

[danimo]

We need store at least the password using QKeychain.

[danimo]

//cc @qknight

[danimo]

Setup of client certs disabled for now.

[qknight]

ok, i will contribute the new code tomorrow.

i think i only have to add code from here: https://github.com/frankosterfeld/qtkeychain/blob/master/testclient.cpp

to

• configfile.cpp::certificatePassword() and
• configfile.cpp::setCertificatePassword()

[danimo]

The challenge is that qtkeychain is async, whereas those code locations are called synchronouslyut. Plus the right place to do it IMHO is in HttpCredentials::persist() and HttpCredentials::fetch() (we already store/fetch the passwords there).

[qknight]

IMHO redrawing this feature, because of this qtkeychain issue, is really naive as not saving the password in plain text compared to potentially having an insecure installation where everyone on the internet has access to, for instance when not doing all security updates or when having a broken configuration, is the real problem and motivation for this patch.

i guess that even firefox saves the p12 password unencrypted.

if you fear that someone wants to steal your p12, by all means, just use disk encryption!

anyway i will look into this and i really want that feature to be in 1.8!

[qknight]

@danimo i've been looking into HttpCredentials::persist() and HttpCredentials::fetch() and i don't understand what they are doing. could you explain their function to me?

[qknight]

the more i think about the QKeyChain the more i realise that this should be a extension to QSettings. imagine that you could just use QSettings, but with an additional flag it would store the data using QKeyChain transparently.

[qknight]

@danimo been working on the patch and i think i'm nearly there but two things:

• when is the deadline to get it tested and still into 1.8?
• should i access httpcredentials from account class or should i access the certificate PW in account using qtkeychain?

i love the way you changed the wizard in owncloudconnectionmethoddialog.cpp as it really looks good now!

[qknight]

good news! the problem #2810 is nearly fixed! my hacky code already works and does save any certificate password in the /home/joachim/.local/share/data/ownCloud/owncloud.cfg configuration file anymore.

https://github.com/qknight/client/compare/master-ssl-client-certs-glaub-defekt

warning: code contains hardcoded values so it won't work for you without modifications, search for 'schiejo' which has to be replaced by your username.

next step: cleanup with danimo.

[dragotin]

postponed to 1.8.1