Add Signal Contact Discovery Service SSL certificate

golf1052 · golf1052 · commit 48605ffc35d5 · 2021-02-03T01:13:39.000-08:00
Also add documentation on adding/updating SSL certificates
diff --git a/Signal-Windows/Package.appxmanifest b/Signal-Windows/Package.appxmanifest
@@ -48,7 +48,8 @@
     <Extension Category="windows.certificates">
       <Certificates>
         <Certificate StoreName="TrustedPeople" Content="textsecure-servicewhispersystemsorg.crt" />
+        <Certificate StoreName="TrustedPeople" Content="api-directory-signal-org.crt"/>
       </Certificates>
     </Extension>
   </Extensions>
-</Package>
+</Package>
diff --git a/Signal-Windows/Signal-Windows.csproj b/Signal-Windows/Signal-Windows.csproj
@@ -143,6 +143,7 @@
     <Content Include="Assets\Wide310x150Logo.scale-125.png" />
     <Content Include="Assets\Wide310x150Logo.scale-150.png" />
     <Content Include="Assets\Wide310x150Logo.scale-400.png" />
+    <Content Include="api-directory-signal-org.crt" />
     <None Include="Package.StoreAssociation.xml" />
     <None Include="Package.xml" />
     <Content Include="textsecure-servicewhispersystemsorg.crt" />
diff --git a/Signal-Windows/api-directory-signal-org.crt b/Signal-Windows/api-directory-signal-org.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEMDCCAxigAwIBAgICEDowDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMR0w
+GwYDVQQKDBRPcGVuIFdoaXNwZXIgU3lzdGVtczEdMBsGA1UECwwUT3BlbiBXaGlz
+cGVyIFN5c3RlbXMxEzARBgNVBAMMClRleHRTZWN1cmUwHhcNMTkwNjAxMDAwMDAw
+WhcNMzEwMTA5MDMzNzEwWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExHTAbBgNVBAoMFE9wZW4gV2hpc3BlciBTeXN0ZW1zMR0wGwYDVQQLDBRP
+cGVuIFdoaXNwZXIgU3lzdGVtczEhMB8GA1UEAwwYYXBpLmRpcmVjdG9yeS5zaWdu
+YWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz5QXsh6QPygd
+gwIY86CbopBAng5zHHknvD3pX3vOBkt7Gd6IlZ+Jle/QFblaqTFPTuU/VX1oT4OI
+c5ZTNb5g/LvKMTBRzEset9CeTjx5STRcmWRlPeu3AJPZZEOvCH3AN55GOOiF8FQp
+qoFVIhSUFS17iuRr3iGLA0Khn0Ink0qJouQuBqfrx8AL+r5dfTfEqs4sxpS34rxy
+5M8z7HrccxbdcBHkNfn/QRLVikmzpFIBhlMcd9C8orobx+9Zv1cTsyl7m95Ma6zm
+/aAVT1nPfKi9t666kYvuTezkehbOCsPqTuGZipQ8620vWs4o0u6X+t9JJfYaTHHF
+lAU+GuYzCQIDAQABo4GhMIGeMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
+ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSvJRKESl+1u6wi
+Vs7ju08VUdaFLzAfBgNVHSMEGDAWgBQBixjxP/s5GURuhYa+lGUypzI8kDAjBgNV
+HREEHDAaghhhcGkuZGlyZWN0b3J5LnNpZ25hbC5vcmcwDQYJKoZIhvcNAQELBQAD
+ggEBAFganu/WuRTlcn2NYQPBGjVLtFUmvxZ8Y0U9u3Vg+fj8hXkpC3IN0MlWslmK
+EIFJTYUJKpUqvmCPuhjvsaUKCsF1ECaydzl6Tt6nQZmc74epLxDCprbClM8iLDZS
++0ojUZdF/fGjT16NnoUy1aT2BhpFsIQOZCqM40jf1sHWRSsvnojPu8/NzHWBuRjt
+HKMJ/I9knakOywrd3htDQdySadU+7uwKRnX/adRpvr3sYi/4cR5sHuf6bAmL6eCB
+iZ4yTkYTQ0sPjAEYCrC2HsQPfYMdAPPMWuMlxgRDJkYT9y18jb9FXF6xVf7HhPWQ
+ZUmeym0sPsdNE2uKBEuo2YZXxrE=
+-----END CERTIFICATE-----
diff --git a/docs/quirks.md b/docs/quirks.md
@@ -0,0 +1,17 @@
+# Quirks
+
+## SSL Certificates
+
+Open Whisper Systems uses its own certificate issuer for its SSL certificates. These certs are not trusted by OSes by default meaning SSL certificate validation with any Signal URLs will fail without some intervention. With the version of UWP we're currently targeting (10.0.15063) the typical way of changing certificate validation using HttpClientHandler.ServerCertificateCustomValidationCallback doesn't work because of [unimplemented code in UWP](https://github.com/dotnet/runtime/issues/18819). [It is possible to create a custom HttpMessageHandler that uses the WinRT HttpBaseProtocolFilter](https://github.com/novotnyllc/WinRtHttpClientHandler) but that isn't a great solution. Instead we install the Signal cert into the OS trusted store when installing the app. See [textsecure-servicewhispersystemsorg.crt](../Signal-Windows/textsecure-servicewhispersystemsorg.crt) and [Package.appxmanifest](../Signal-Windows/Package.appxmanifest).
+
+### Adding/Updating Signal Certificates
+
+1. Go to the Signal URL in your browser (https://textsecure-service.whispersystems.org, https://api.directory.signal.org, etc.)
+2. View the certificate in your browser
+3. Download the certificate.
+    - Base64 encoded .CER in Chrome/Edge and PEM (cert) in Firefox
+- If adding
+  - Copy the certificate to the Signal-Windows directory
+  - Change the extension to .crt
+  - Open [Package.appxmanifest](../Signal-Windows/Package.appxmanifest) and add a new `<Certificate>` tag with `StoreName` as `TrustedPeople` and `Content` being the filename of the certificate.
+- If updating rename the certificate to match what is currently in the repo and copy the certificate to the repo
