New schema https not supported #80
Description
Hi,
apparently RSA has a now schema for the QR-Code/Links. Instead of http://127.0.0.1/securid/ctf?ctfData= it's now http://127.0.0.1/securid/ctf?schema=https&url=<<<FQDN>>>:443/ctkip/services/CtkipService
and it also requires an additional activation ID.
According to the verbose logs (that the RSA app thanksfully automatically enables for the first imported token) it does:
- Check for non default CAs in trust store
android keystore is not nullandssl factory trust all cerificates = false - Connect to the url using the schema from the above url.
- Verify the TLS context (protocol, cipher suite, peer host) and also check something it calls "allowed endPoints", probably to see if it got redirected or not?
- Response is logged as "send helo message"
- Logs something about encrypting a block and being FIPS140Compliant
- "startNewTokenRequest" second round
- Sends another request to the same endpoint (I assume containing the encrypted block from before)
- Response is logged as "send finish message"
- calculateCMAC
- getPinHandling (assuming certificate pinning to error out when the request was MITMed?)
- "device compliance is required" (probably root detection as listed in the feature set of their app)
- validateToken
- "import ctkip token done with next serial number: <<12 digit decimal serial number>>
When googling for documentation from RSA I also stumbled across this project: https://github.com/dlenski/rsa_ct_kip
Edit: Also important note, the QR-Code/Link is valid only once. You can't use it multiple times, not even on the intended device (the server will deny your request with an error claiming the Activation code is invalid)