[IGBF-3130] Investigate trust following certificate modal - JIRA UNCC

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 9.1.10 Major Release
Labels:
None

Story Points:
1
Epic Link:
Improve IGB for users
Sprint:
Summer 2 2022 June 6, Summer 3 2022 June 21

Description

Situation: A user reported a problem with IGB on Windows where they were unable to interact with the "Trust following certificate" modal that appeared. Because they were unable to interact with the modal, the user was unable to use IGB.

Task: Reproduce the issue on Windows and investigate why the modal is unable to be interacted with.

Attachments

Issue Links

relates to

IGBF-3138 Investigate IGB update on startup

To-Do

IGBF-3001 Handle data sources with improper SSL certificates

Closed

IGBF-3136 Remove modal from IGBTrustManager

Closed

IGBF-2370 Investigate IGB certificate dialog box option selection problems

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Nowlan Freese added a comment - 14/Jun/22 3:08 PM - edited

To view the modal popup consistently you need to modify the code in IGBTrustManager.java checkServerTrusted() so that the modal appears every time a certificate is authenticated.

For example:

    public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {

        StringBuilder certificates = new StringBuilder("\n\n");
        IGB app = IGB.getInstance();
        for (X509Certificate cert : certs) {
            certificates.append(cert.getIssuerX500Principal().getName()).append(",").append("\n");
        }
        JComponent comp = (app == null) ? null : app.getFrame().getRootPane();
//        try {
            //kiran:IGBF-1362: First try to validate the certificate using the default trust store
//            defaultTm.checkServerTrusted(certs,authType);
            logger.info("Authenticated {} certificates using default trust store",certificates.toString().replace("\n", "").replace("\r", ""));
//        } catch (CertificateException e) {
            //if certificate not found then ask the user to validate the certificate
            boolean response = ModalUtils.confirmPanel(comp, "Trust following certificate? " + certificates.toString(),
                    PreferenceUtils.getCertificatePrefsNode(), certificates.toString(), true, "Do not show this again for the publisher above");

            if (!response) {
                throw new RuntimeException("Untrusted certificate.");
            }
//        }
    }

Show

Nowlan Freese added a comment - 14/Jun/22 3:08 PM - edited To view the modal popup consistently you need to modify the code in IGBTrustManager.java checkServerTrusted() so that the modal appears every time a certificate is authenticated. For example: public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) { StringBuilder certificates = new StringBuilder( "\n\n" ); IGB app = IGB.getInstance(); for (X509Certificate cert : certs) { certificates.append(cert.getIssuerX500Principal().getName()).append( "," ).append( "\n" ); } JComponent comp = (app == null ) ? null : app.getFrame().getRootPane(); // try { //kiran:IGBF-1362: First try to validate the certificate using the default trust store // defaultTm.checkServerTrusted(certs,authType); logger.info( "Authenticated {} certificates using default trust store" ,certificates.toString().replace( "\n" , "").replace(" \r ", " ")); // } catch (CertificateException e) { // if certificate not found then ask the user to validate the certificate boolean response = ModalUtils.confirmPanel(comp, "Trust following certificate? " + certificates.toString(), PreferenceUtils.getCertificatePrefsNode(), certificates.toString(), true , "Do not show this again for the publisher above" ); if (!response) { throw new RuntimeException( "Untrusted certificate." ); } // } }

10 older comments

Hide

Permalink

Ann Loraine added a comment - 17/Jun/22 10:08 AM

On Friday scrum, NF and AL recalled an additional instance of IGB over-riding a base Java function related to opening SSL connections. Now linked to the ticket: ~~IGBF-3001~~

Show

Ann Loraine added a comment - 17/Jun/22 10:08 AM On Friday scrum, NF and AL recalled an additional instance of IGB over-riding a base Java function related to opening SSL connections. Now linked to the ticket: IGBF-3001

Hide

Permalink

Ann Loraine added a comment - 22/Jun/22 10:08 AM - edited

BioViz Test host https://bioviztest3.bioviz.org/ is up and running with expired "start" bioviz.org certificate installed, along with the DigiCert server chain certificate previously installed.

Show

Ann Loraine added a comment - 22/Jun/22 10:08 AM - edited BioViz Test host https://bioviztest3.bioviz.org/ is up and running with expired "start" bioviz.org certificate installed, along with the DigiCert server chain certificate previously installed.

Hide

Permalink

Nowlan Freese added a comment - 23/Jun/22 3:53 PM

After discussion between Nowlan and Karthik, the current approach will be to remove the modal from the IGBTrustManager and add the modal logic to the App Store specifically, as well as improve the logic for informing the user that a Quickload's certificates are invalid.

Show

Nowlan Freese added a comment - 23/Jun/22 3:53 PM After discussion between Nowlan and Karthik, the current approach will be to remove the modal from the IGBTrustManager and add the modal logic to the App Store specifically, as well as improve the logic for informing the user that a Quickload's certificates are invalid.

Hide

Permalink

Ann Loraine added a comment - 24/Jun/22 10:44 AM - edited

AL: Suggests get rid of modal, print to log instead for everything. Observe and document effects when an App Store jar file is being accessed or downloaded from a host with a bogus SSL certificate. You can probably observe the latter behavior by setting up a repository.xml that directs IGB to download 'jar' from an https URL that's bogus due to expired or non-existent certificate.

Show

Ann Loraine added a comment - 24/Jun/22 10:44 AM - edited AL: Suggests get rid of modal, print to log instead for everything. Observe and document effects when an App Store jar file is being accessed or downloaded from a host with a bogus SSL certificate. You can probably observe the latter behavior by setting up a repository.xml that directs IGB to download 'jar' from an https URL that's bogus due to expired or non-existent certificate.

Hide

Permalink

Nowlan Freese added a comment - 24/Jun/22 3:07 PM

After discussion we have decided to close this ticket and open the following tickets:

~~IGBF-3136~~ - This ticket will remove the modal from IGBTrustManager checkServerTrusted(). If a certificate is invalid, checkServerTrusted() will print the certificate information in the IGB log.
IGBF-3137 - This ticket will migrate the modal logic used in IGBTrustManager to the IGB App Manager. If a certificate is invalid the user will be presented with the option of trusting or rejecting the certificate.
IGBF-3138 - This ticket will investigate the role of the Update plugin in IGB on checking for updated versions of IGB on startup.

Show

Nowlan Freese added a comment - 24/Jun/22 3:07 PM After discussion we have decided to close this ticket and open the following tickets: IGBF-3136 - This ticket will remove the modal from IGBTrustManager checkServerTrusted(). If a certificate is invalid, checkServerTrusted() will print the certificate information in the IGB log. IGBF-3137 - This ticket will migrate the modal logic used in IGBTrustManager to the IGB App Manager. If a certificate is invalid the user will be presented with the option of trusting or rejecting the certificate. IGBF-3138 - This ticket will investigate the role of the Update plugin in IGB on checking for updated versions of IGB on startup.

People

Assignee:

Nowlan Freese

Reporter:

Nowlan Freese

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

14/Jun/22 3:04 PM

Updated:

04/Aug/22 4:45 PM

Resolved:

24/Jun/22 3:07 PM