Hi devs,
I would like to start a thread to see how can we manage certificates in WP7 devices, to see if we can put together some pieces of info around this matter.
So far, these are my findings:
- Certs you import (like Chevron or your private CA cert) go to the registry here:
Code:
[HKCU\Comm\Security\SystemCertificates\Root\Certificates\<Cert Thumbprint>]
"Blob"=hex:....
- There is supposed to be a certificate store for blacklisted certificates (it was there in WM6x) here:
Code:
[HKLM\Comm\Security\SystemCertificates\disallowed\Certificates\<Cert Thumbprint>]
"Blob"=hex:....
Some questions:
- I had the hope to find Chevron cert under "disallowed" store, but it is not there, neither under HKCU nor HKLM. How is then Chevron blocked in NoDo?
- Is there a way to delete registry keys? I own an LG Optimus E900, so ideally with MFG... maybe with provxml mechanism? Such a thing will allow us to install test certificates and then delete them when not needed anymore.
Regards!
Hi,
I made the WP7 Root Tools. For now it works on Samsung devices only. And it is a work in progress. So far, only the registry editor works, but a File Explorer and Certificate Store are coming soon. I use exploits that give me access to the certificate stores in WP7. But I have not done much research in that area yet, so I don't know exactly if there are any limitations.
One thing I'm quite sure of, is that the certificate stores are not only in the registry, but also in databases on the filesystem. So manipulating the registry is not going to be sufficient for adding and removing certificates. When I know more I'll report that in the WP7 Root Tools thread.
Ciao,
Heathcliff74
I recently found the 'Security options' menu item in the mail client, it seems that one can use it to manage certificates for S/MIME.
However whenever I try to import my certificate from internal memory (.key, .cer and .p12 sitting there) I just get the following message: "No key files to import".
Were does the mail client expect the keys and in what format?
The keys and certificates (4096bit) where generated using openssl and work fine with Thunderbird.
I have already installed the CAs certificate, which worked without a problem.
I am currently running Omega 'ROM v7.4'.
Any help would be appreciated.
Only just realized that it is PGP, not S/MIME that is natively supported.
I havenow officially found the first thing I miss from my iPhone.
I found this: http://support.google.com/android/bin/answer.py?hl=en&answer=1649774
And this: http://code.google.com/p/android/issues/detail?id=36010
And this: http://rundquadrat.at/x509tools
https://play.google.com/store/apps/details?id=at.rundquadrat.android.x509tools
I've yet to need to use smime. Hopefully some of this can help.
-----
I would love to help you, but help yourself first: ask a better question
http://www.catb.org/~esr/faqs/smart-questions.html
i have upgraded my lenovo P2 ROM to Nauget 0.7
now the business email is not working due to missing security certificate .p12 or .pfx
our service provider is not securing the servers with this certificate , so it can not obtained through them
is there any solution for this problem?
is there a downloadable certificates can support?
message:-
"The app Gmail has requested a certificate. choosing a certificate will let the app use this identity with servers now and in the future. The app has identified the requesting server as mail.egasae.com:443, but you should only give the app access to the certificate if you trust the app.
you can install certificates from a PKCS#12 file with a .pfx or a .p12 extension located in external storage"
PS: mail was perfectly working with marshmallow version
atefaw said:
i have upgraded my lenovo P2 ROM to Nauget 0.7
now the business email is not working due to missing security certificate .p12 or .pfx
our service provider is not securing the servers with this certificate , so it can not obtained through them
is there any solution for this problem?
is there a downloadable certificates can support?
message:-
"The app Gmail has requested a certificate. choosing a certificate will let the app use this identity with servers now and in the future. The app has identified the requesting server as mail.egasae.com:443, but you should only give the app access to the certificate if you trust the app.
you can install certificates from a PKCS#12 file with a .pfx or a .p12 extension located in external storage"
PS: mail was perfectly working with marshmallow version
Click to expand...
Click to collapse
can i have an answer please??
Hi,
I was surprised today to see that my android firewall (afwall+) blocked several communications from the SMS/MMS application (ID 10068).
The following IP address were blocked, all on port 443
216.58.213.142
216.58.215.46
172.217.19.238
172.217.18.206
These IP belongs to google hosting, have self-signed certificate (and redirect to google.com if blindly via https://[theip] ).
Does anybody have clue about this?
Thank you
Kriss
PS: my phone runs lineage os 15, updated on Sept 4th. It is rooted, runs microg, fdroid and xposed, and has very few apps on it.
Hello everyone,
As there is no more manga apps that's working on my Nook simple touch (1.2.1 firmware), I try to use the Internet web browser to download manga files.
I tried with Opera mini, classic but I've got a popup appearing each time about a certificate problem ... I tried the solution mentionned here (TLS 1.2 activated from Opera classic 12.1) but still getting this error.
Any way to bypass those annoying screens ?
Thanks
alucard_xs said:
Hello everyone,
As there is no more manga apps that's working on my Nook simple touch (1.2.1 firmware), I try to use the Internet web browser to download manga files.
I tried with Opera mini, classic but I've got a popup appearing each time about a certificate problem ... I tried the solution mentionned here (TLS 1.2 activated from Opera classic 12.1) but still getting this error.
Any way to bypass those annoying screens ?
Thanks
Click to expand...
Click to collapse
Can you post the URL where you get the errors?
Sure, I tried with these :
can't reach the website :
Scan VF, Lecture En Ligne Scan Naruto, Scan En Ligne One Piece (scan-fr.cc)
Popup with certificate error :
Scantrad France - Scans de mangas en lecture en ligne !
alucard_xs said:
Sure, I tried with these :
can't reach the website :
Scan VF, Lecture En Ligne Scan Naruto, Scan En Ligne One Piece (scan-fr.cc)
Popup with certificate error :
Scantrad France - Scans de mangas en lecture en ligne !
Click to expand...
Click to collapse
I get a 404 error with the first link.
The second one presents no problem for me with Opera Mobile, although there are issues with display, but no certificate warnings. It's possible your cacerts.bks file either lacks a DST Root CA X3 certificate or has an expired one (if this is a new issue for you). I'm using the file posted here: https://forum.xda-developers.com/t/nst-g-how-to-managing-cacerts-bks.4197451/
I did not try downloading any files from the second site. That may pose additional problems.
Is that first site perhaps scan-vf.net?
Edit: OK, that's weird. I can access the first url on my tablet just fine. I wonder why my laptop gave a 404... Shut down for the day but I'll try again tomorrow to check the certificate.
O.K.
I examined both sites for the certificates in use. The only missing certificate in the cacerts.bks file I use is a Cloudflare Inc ECC CA-3. I exported this and added it to the cacerts.bks file. Then I tried that file with a unit running FW 1.2.1 and another running FW 1.2.2. There was no apparent difference in the behavior.
As I said in the previous post, I had no problem accessing scantrad.net with either Opera Mobile or Opera Mini. There are a lot of missing images with Opera Mobile so I suspect navigating and interacting with the site would be better with Opera Mini. Again I did not try downloading any files. That could be a deal breaker.
As for scan-fr.cc, I was not able to reach it at all. Opera Mobile throws up a more-or-less generic gripe about security and gives the fatal error 40. Sometimes websites which do this can be coaxed into loading by clearing the Opera cache. Not this one. Opera Mini gives a error box which says the server could not be contacted and the option to retry or cancel. No dice there.
There are posts about Opera 12 (although I think that's the Windows version) wherin Cloudflare is demonized and it is clear that Opera (of that vintage) is not able to deal with it.
I got exactly the same results before and after adding the Cloudflare certificate to cacerts.bks, so the server rejection of the connection is more fundamental than that. Logcat doesn't even seem to know that Opera is running, so no help there.
That's all I could find out.
I should probably post this in a thread nmishkin wrote but this thread was new so I decided to write here anyway. I also have certificate problem with B&N store. At first it stopped allowing me to download without any errors or reports about why is that happening. Recently when I tried it splashed out a screen about failing to confirm some certificate. Now that is bad practice if B&N is unable to renew its own certificate. And maybe it is not their fault alone if it is related to the things written in this article https://arstechnica.com/gadgets/202...h-workaround-for-abandonware-android-devices/ .It is another matter if they refuse to update certificate for old device but that is more than bad support IMHO. Is it possible to put new certificate inside for example latest upgrade zip file and load it on the device as such? Anyway if you read an article I mentioned you will see it will sort of "work" until 2024 but not further.
Is this about trying to purchase books from B&N? Is the device rooted? Is the firmware updated to 1.2.2?
I don't think cacerts.bks even comes into play in communicating with B&N. As far as I could determine the same file was included with both 1.2.1 and 1.2.2.
In any case, if B&N were pushing silent security updates they would likely fail on a rooted device.
Not rooted. Stock NST with updated firmware 1.2.2. Nothing added or changed at least not by me.
SJT75 said:
Not rooted. Stock NST with updated firmware 1.2.2. Nothing added or changed at least not by me.
Click to expand...
Click to collapse
OK, so I think you are outside the US? I ask with a suspicion, but we really need more input from others who are also trying to interface with B&N from outside the US. As Aesop observed, one swallow does not a summer make
So it could be that. Even with my heavily modified NSTs I can still interface with B&N to the extent of at least "purchasing" free books from the Shop app. I've never bought a book from B&N, so I can't go so far as to say that would work for me also, but I think it probably would.
If there were a way to connect via a VPN in the US, that might answer the question, but other than making the change to a VPN at the router level, I don't think there is any way to get the NST to do that on it's own.
A logcat of an attempted transaction with B&N might be revealing, but without root, that's not happening.
Yes. I am in Europe. Thanks for a valid question and proposal for a solution that I am aware of but never thought of as I couldn't get where the problem is. When I do something about it I will reply here for sure.